CVE-2026-33663 targets n8n, an open-source workflow automation platform widely used for integrating various services. The vulnerability specifically affects the Community Edition prior to versions 1.123.27, 2.13.3, and 2.14.1. It involves an authorization bypass through a user-controlled key in the credential pipeline. An authenticated user with the 'global:member' role can chain two flaws: first, a name-based credential resolution path that does not enforce ownership or project scope, allowing the user to reference credentials belonging to others; second, a bypass in the credentials permission checker that skips generic HTTP credential types during pre-execution validation. This combination enables the attacker to resolve another user's credential ID and execute workflows that decrypt and use those credentials without proper authorization. The affected credential types are generic HTTP credentials such as httpBasicAuth, httpHeaderAuth, and httpQueryAuth. Importantly, native integration credential types like slackApi, openAiApi, and postgres are not vulnerable. The Enterprise Edition mitigates this risk through additional permission gates on workflow creation and execution, which block this attack chain. The vulnerability has a CVSS v4.0 score of 8.5, indicating high severity, with network attack vector, low complexity, no authentication required beyond member role, and high impact on confidentiality. No public exploits have been reported yet. The recommended remediation is to upgrade to fixed versions 1.123.26, 2.13.3, or 2.14.1 or later. If immediate upgrade is not feasible, administrators should restrict instance access to fully trusted users and audit and rotate any potentially exposed generic HTTP credentials. These mitigations reduce risk but do not fully resolve the vulnerability.

The vulnerability allows an authenticated user with limited privileges (global:member role) to access plaintext secrets of other users' generic HTTP credentials on the same n8n instance. This can lead to unauthorized disclosure of sensitive information such as API keys, authentication headers, or query parameters used in workflows. Attackers can leverage these stolen credentials to impersonate other users, access external services, or escalate privileges within integrated systems. Since n8n is often used to automate workflows involving critical business applications and cloud services, exposure of these credentials can compromise confidentiality and potentially integrity of connected systems. The impact is confined to Community Edition users, as Enterprise Edition includes additional controls. Organizations running vulnerable versions risk insider threats or compromised user accounts leading to data breaches, service disruptions, or lateral movement. The attack requires only member-level authentication and no user interaction, increasing the likelihood of exploitation in multi-tenant or shared environments. Although no exploits are known in the wild yet, the high CVSS score and ease of exploitation make this a significant risk for organizations relying on n8n Community Edition for automation.

1. Upgrade n8n Community Edition instances immediately to version 1.123.26, 2.13.3, 2.14.1, or later to apply the official fix. 2. If upgrading is not immediately possible, restrict access to the n8n instance to fully trusted users only, minimizing the risk of malicious insiders exploiting the vulnerability. 3. Audit all generic HTTP credentials (httpBasicAuth, httpHeaderAuth, httpQueryAuth) stored on the instance and rotate any that may have been exposed or are in use by multiple users. 4. Implement strict role-based access controls and monitor user activities for unusual workflow executions that may indicate abuse of credentials. 5. Consider migrating sensitive workflows to the Enterprise Edition, which includes additional permission gates preventing this attack chain. 6. Regularly review and update credential management policies to avoid sharing or reusing generic HTTP credentials across users. 7. Enable detailed logging and alerting on credential access and workflow executions to detect potential exploitation attempts. 8. Educate users about the risks of credential exposure and encourage prompt reporting of suspicious activities.