CVE-2026-33663

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.27 n8n versions prior to 2.13.3 n8n versions prior to 2.14.1

Description An authenticated user with the global:member role could exploit authorization flaws in n8n's credential pipeline to obtain plaintext secrets from generic HTTP credentials (httpBasicAuth, httpHeaderAuth, httpQueryAuth) belonging to other users on the same instance. The attack exploits a name-based credential resolution path that lacks ownership or project scope enforcement, combined with a bypass in the credentials permission checker that skips validation for generic HTTP credential types. This allows a user with the global:member role to resolve another user's credential ID and execute a workflow that decrypts and uses that credential without authorization. Native integration credential types (e.g., slackApi, openAiApi, postgres) are not affected. This issue impacts only the Community Edition of n8n.

Recommendations Upgrade to n8n version 1.123.27 or later. Upgrade to n8n version 2.13.3 or later. Upgrade to n8n version 2.14.1 or later. If upgrading is not immediately possible, restrict instance access to fully trusted users only. If upgrading is not immediately possible, audit credentials stored on the instance and rotate any generic HTTP credentials (httpBasicAuth, httpHeaderAuth, httpQueryAuth) that may have been exposed.