CVE-2026-42227: CWE-639: Authorization Bypass Through User-Controlled Key in n8n-io n8n
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller. If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately. This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
AI Analysis
Technical Summary
CVE-2026-42227 is an authorization bypass vulnerability in the n8n workflow automation platform affecting versions prior to 1.123.32, 2.17.4, and 2.18.1. The flaw allows an authenticated user with a variable:list scoped API key to access variables from projects they are not members of by supplying an arbitrary projectId parameter to the public API variables endpoint. The root cause is that the handler bypassed the authorization-aware service layer and queried the variables repository directly without verifying project membership. This vulnerability only impacts licensed enterprise or team deployments with multiple projects and the variables feature enabled. The vulnerability has been addressed in the specified patched versions.
Potential Impact
An authenticated user with limited API key permissions could access variables belonging to other projects, potentially exposing sensitive information such as credentials or tokens stored in those variables. This could lead to unauthorized disclosure of sensitive data within affected enterprise or team deployments. There is no indication of remote unauthenticated exploitation or privilege escalation beyond the scope of the API key. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability has been patched in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users of affected versions should upgrade to these or later versions to remediate the issue. Additionally, if sensitive information was stored in variables, such as credentials or tokens, those secrets should be rotated immediately. Since this issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled, users outside this scope are not impacted.
CVE-2026-42227: CWE-639: Authorization Bypass Through User-Controlled Key in n8n-io n8n
Description
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller. If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately. This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42227 is an authorization bypass vulnerability in the n8n workflow automation platform affecting versions prior to 1.123.32, 2.17.4, and 2.18.1. The flaw allows an authenticated user with a variable:list scoped API key to access variables from projects they are not members of by supplying an arbitrary projectId parameter to the public API variables endpoint. The root cause is that the handler bypassed the authorization-aware service layer and queried the variables repository directly without verifying project membership. This vulnerability only impacts licensed enterprise or team deployments with multiple projects and the variables feature enabled. The vulnerability has been addressed in the specified patched versions.
Potential Impact
An authenticated user with limited API key permissions could access variables belonging to other projects, potentially exposing sensitive information such as credentials or tokens stored in those variables. This could lead to unauthorized disclosure of sensitive data within affected enterprise or team deployments. There is no indication of remote unauthenticated exploitation or privilege escalation beyond the scope of the API key. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability has been patched in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users of affected versions should upgrade to these or later versions to remediate the issue. Additionally, if sensitive information was stored in variables, such as credentials or tokens, those secrets should be rotated immediately. Since this issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled, users outside this scope are not impacted.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T05:37:12.117Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f8eaaecbff5d8610415af0
Added to database: 5/4/2026, 6:51:26 PM
Last enriched: 5/4/2026, 7:07:20 PM
Last updated: 5/5/2026, 5:55:50 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.