CVE-2026-42227: CWE-639: Authorization Bypass Through User-Controlled Key in n8n-io n8n
CVE-2026-42227 is an authorization bypass vulnerability in the n8n workflow automation platform affecting certain enterprise and team deployments with multiple projects and the variables feature enabled. Authenticated users with a valid API key scoped to variable:list could read variables from projects they do not belong to by manipulating the projectId query parameter. This occurs because the API endpoint queried the variables repository directly without enforcing project membership checks. The vulnerability was patched in versions 1.123.32, 2.17.4, and 2.18.1.
AI Analysis
Technical Summary
The vulnerability in n8n prior to versions 1.123.32, 2.17.4, and 2.18.1 allows an authenticated user with a valid API key scoped to variable:list to bypass authorization controls by supplying an arbitrary projectId parameter to the public API variables endpoint. The handler bypassed the authorization-aware service layer by querying the variables repository directly without verifying project membership. This flaw affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. The issue has been addressed in the specified patched versions.
Potential Impact
An authenticated user with limited API key permissions could access variables belonging to projects they are not members of. If these variables contain sensitive data such as credentials or tokens, unauthorized disclosure could occur. This could lead to credential compromise or unauthorized access to other systems if such secrets are reused. The impact is limited to deployments using the variables feature in multi-project enterprise or team environments.
Mitigation Recommendations
This vulnerability has been patched in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to these or later versions to remediate the issue. Additionally, if sensitive information was stored in variables, it is recommended to rotate those credentials or tokens immediately. No vendor advisory indicates alternative mitigations or that no action is required.
CVE-2026-42227: CWE-639: Authorization Bypass Through User-Controlled Key in n8n-io n8n
Description
CVE-2026-42227 is an authorization bypass vulnerability in the n8n workflow automation platform affecting certain enterprise and team deployments with multiple projects and the variables feature enabled. Authenticated users with a valid API key scoped to variable:list could read variables from projects they do not belong to by manipulating the projectId query parameter. This occurs because the API endpoint queried the variables repository directly without enforcing project membership checks. The vulnerability was patched in versions 1.123.32, 2.17.4, and 2.18.1.
CVSS v4.0
Score 6.0medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in n8n prior to versions 1.123.32, 2.17.4, and 2.18.1 allows an authenticated user with a valid API key scoped to variable:list to bypass authorization controls by supplying an arbitrary projectId parameter to the public API variables endpoint. The handler bypassed the authorization-aware service layer by querying the variables repository directly without verifying project membership. This flaw affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. The issue has been addressed in the specified patched versions.
Potential Impact
An authenticated user with limited API key permissions could access variables belonging to projects they are not members of. If these variables contain sensitive data such as credentials or tokens, unauthorized disclosure could occur. This could lead to credential compromise or unauthorized access to other systems if such secrets are reused. The impact is limited to deployments using the variables feature in multi-project enterprise or team environments.
Mitigation Recommendations
This vulnerability has been patched in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to these or later versions to remediate the issue. Additionally, if sensitive information was stored in variables, it is recommended to rotate those credentials or tokens immediately. No vendor advisory indicates alternative mitigations or that no action is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T05:37:12.117Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f8eaaecbff5d8610415af0
Added to database: 5/4/2026, 6:51:26 PM
Last enriched: 5/12/2026, 6:25:12 AM
Last updated: 6/19/2026, 2:35:19 PM
Views: 52
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.