Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-38wy-4z9b-gfeh
Vulnerability ID VCID-38wy-4z9b-gfeh
Aliases CVE-2026-33663
GHSA-m63j-689w-3j35
Summary n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition ## Impact An authenticated user with the `global:member` role could exploit chained authorization flaws in n8n's credential pipeline to steal plaintext secrets from generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) belonging to other users on the same instance. The attack abuses a name-based credential resolution path that does not enforce ownership or project scope, combined with a bypass in the credentials permission checker that causes generic HTTP credential types to be skipped during pre-execution validation. Together, these flaws allow a member-role user to resolve another user's credential ID and execute a workflow that decrypts and uses that credential without authorization. Native integration credential types (e.g. `slackApi`, `openAiApi`, `postgres`) are not affected by this issue. This vulnerability affects Community Edition only. Enterprise Edition has additional permission gates on workflow creation and execution that independently block this attack chain. ## Patches The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Restrict instance access to fully trusted users only. - Audit credentials stored on the instance and rotate any generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) that may have been exposed. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Status Published
Exploitability 0.5
Weighted Severity 8.9
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-639 Authorization Bypass Through User-Controlled Key
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00022 https://api.first.org/data/v1/epss?cve=CVE-2026-33663
cvssv3.1 9.9 https://github.com/n8n-io/n8n
cvssv4 8.5 https://github.com/n8n-io/n8n
generic_textual HIGH https://github.com/n8n-io/n8n
cvssv3.1 9.9 https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35
cvssv4 8.5 https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35
generic_textual HIGH https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35
ssvc Track https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35
cvssv3.1 9.9 https://nvd.nist.gov/vuln/detail/CVE-2026-33663
cvssv4 8.5 https://nvd.nist.gov/vuln/detail/CVE-2026-33663
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-33663
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-33663
https://github.com/n8n-io/n8n
https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35
https://nvd.nist.gov/vuln/detail/CVE-2026-33663
GHSA-m63j-689w-3j35 https://github.com/advisories/GHSA-m63j-689w-3j35
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/n8n-io/n8n
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H Found at https://github.com/n8n-io/n8n
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H Found at https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T17:51:35Z/ Found at https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33663
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33663
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.06451
EPSS Score 0.00022
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:59:38.368691+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-m63j-689w-3j35/GHSA-m63j-689w-3j35.json 38.6.0