CVE-2026-33663 — CRITICAL (CVSS 10.0)

Q: Is CVE-2026-33663 actively exploited?

No confirmed active exploitation of CVE-2026-33663 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-33663?

1. PATCH: Upgrade to n8n 1.123.27 (v1 LTS), 2.13.3, or 2.14.1. These are the only full remediations. 2. ROTATE: Immediately rotate all httpBasicAuth, httpHeaderAuth, and httpQueryAuth credentials stored on the instance — assume they are compromised if the instance has had non-owner members. 3. AUDIT: Review n8n execution logs for unexpected workflow executions by member-role users against credentials they do not own. 4. RESTRICT (if patch delayed): Limit instance access to fully trusted users only; remove or suspend member-role accounts that are not operationally required. 5. DETECT: Alert on workflow executions that reference credentials not owned by the executing user's project; monitor downstream services (OpenAI, Slack, etc.) for unusual API activity. 6. ENTERPRISE: If on Community Edition with multi-user requirements, evaluate migration to Enterprise Edition which has additional permission gates that independently block this attack chain.

Q: What systems are affected by CVE-2026-33663?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Workflow automation / orchestration, API integrations, Multi-tenant LLM pipelines, RAG pipelines with external data connectors.

Q: What is the CVSS score for CVE-2026-33663?

CVE-2026-33663 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.02%.

CISO Take

Any authenticated member on a Community Edition n8n instance can exfiltrate plaintext HTTP credentials (API keys, passwords, bearer tokens) belonging to other users via a chained authorization flaw — no admin needed, no interaction from the victim. Upgrade immediately to n8n 1.123.27, 2.13.3, or 2.14.1 and rotate all httpBasicAuth, httpHeaderAuth, and httpQueryAuth credentials stored on the instance regardless of upgrade timing. Enterprise Edition is not affected.

What is the risk?

CVSS 10.0 with network attack vector, low complexity, and no user interaction makes this maximally exploitable. The attack requires only a valid member account — the lowest trust level on the platform. While EPSS (0.00019) is low at time of publication, the technique is simple enough that any member who reads the advisory can reproduce it. Exposure is high for any organization using n8n Community Edition with multiple users, which is the default deployment model for AI workflow automation teams integrating third-party services.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.27	`1.123.27`
187.3K OpenSSF 6.1 16 dependents Pushed 3d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

10.0 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 5% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade to n8n 1.123.27 (v1 LTS), 2.13.3, or 2.14.1. These are the only full remediations.
ROTATE

Immediately rotate all httpBasicAuth, httpHeaderAuth, and httpQueryAuth credentials stored on the instance — assume they are compromised if the instance has had non-owner members.
AUDIT

Review n8n execution logs for unexpected workflow executions by member-role users against credentials they do not own.
RESTRICT (if patch delayed): Limit instance access to fully trusted users only; remove or suspend member-role accounts that are not operationally required.
DETECT

Alert on workflow executions that reference credentials not owned by the executing user's project; monitor downstream services (OpenAI, Slack, etc.) for unusual API activity.
ENTERPRISE

If on Community Edition with multi-user requirements, evaluate migration to Enterprise Edition which has additional permission gates that independently block this attack chain.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Data Leakage Agent Framework API AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0085.001 - AI Agent Tools AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System

ISO 42001

A.6.1.2 - Information access restriction A.9.4 - AI system security

NIST AI RMF

GOVERN-1.7 - Processes and procedures are in place for decommissioning and phasing out AI systems MANAGE-2.2 - Mechanisms to sustain deployment-phase AI risk management

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-33663?

Any authenticated member on a Community Edition n8n instance can exfiltrate plaintext HTTP credentials (API keys, passwords, bearer tokens) belonging to other users via a chained authorization flaw — no admin needed, no interaction from the victim. Upgrade immediately to n8n 1.123.27, 2.13.3, or 2.14.1 and rotate all httpBasicAuth, httpHeaderAuth, and httpQueryAuth credentials stored on the instance regardless of upgrade timing. Enterprise Edition is not affected.

Is CVE-2026-33663 actively exploited?

No confirmed active exploitation of CVE-2026-33663 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33663?

1. PATCH: Upgrade to n8n 1.123.27 (v1 LTS), 2.13.3, or 2.14.1. These are the only full remediations. 2. ROTATE: Immediately rotate all httpBasicAuth, httpHeaderAuth, and httpQueryAuth credentials stored on the instance — assume they are compromised if the instance has had non-owner members. 3. AUDIT: Review n8n execution logs for unexpected workflow executions by member-role users against credentials they do not own. 4. RESTRICT (if patch delayed): Limit instance access to fully trusted users only; remove or suspend member-role accounts that are not operationally required. 5. DETECT: Alert on workflow executions that reference credentials not owned by the executing user's project; monitor downstream services (OpenAI, Slack, etc.) for unusual API activity. 6. ENTERPRISE: If on Community Edition with multi-user requirements, evaluate migration to Enterprise Edition which has additional permission gates that independently block this attack chain.

What systems are affected by CVE-2026-33663?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Workflow automation / orchestration, API integrations, Multi-tenant LLM pipelines, RAG pipelines with external data connectors.

What is the CVSS score for CVE-2026-33663?

CVE-2026-33663 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with the `global:member` role could exploit chained authorization flaws in n8n's credential pipeline to steal plaintext secrets from generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) belonging to other users on the same instance. The attack abuses a name-based credential resolution path that does not enforce ownership or project scope, combined with a bypass in the credentials permission checker that causes generic HTTP credential types to be skipped during pre-execution validation. Together, these flaws allow a member-role user to resolve another user's credential ID and execute a workflow that decrypts and uses that credential without authorization. Native integration credential types (e.g. `slackApi`, `openAiApi`, `postgres`) are not affected by this issue. This vulnerability affects Community Edition only. Enterprise Edition has additional permission gates on workflow creation and execution that independently block this attack chain. The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict instance access to fully trusted users only, and/or audit credentials stored on the instance and rotate any generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) that may have been exposed. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

A malicious insider or compromised member account on a shared n8n Community Edition instance used for AI pipeline orchestration performs the following: (1) Enumerates credential names via the n8n UI (names are visible to all users); (2) Constructs a minimal workflow using a generic HTTP Request node, referencing the victim's httpHeaderAuth credential by name via the name-based resolution path; (3) Executes the workflow — the credentials permission checker skips validation for generic HTTP credential types, so the credential is resolved and decrypted without ownership enforcement; (4) The plaintext Authorization header or API key appears in the workflow execution output, exfiltrated to an attacker-controlled endpoint. The entire attack requires no special tooling, no elevated privileges, and no victim interaction — only a browser and a member account.