CVE-2026-42227

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.32 n8n versions prior to 2.17.4 n8n versions prior to 2.18.1

Description An authenticated user with a valid API key scoped to variable:list can read variables from projects they are not a member of. This occurs by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queries the variables repository directly, bypassing the authorization-aware service layer used by the internal enterprise controller and failing to enforce project membership checks. This issue specifically affects licensed enterprise or team deployments with multiple projects and the variables feature enabled.

Recommendations Update to version 1.123.32. Update to version 2.17.4. Update to version 2.18.1. Rotate any credentials or tokens immediately if they were stored as variables and potentially exposed.