CVE-2026-33663: n8n member role steals plaintext

Q: Is CVE-2026-33663 actively exploited?

No confirmed active exploitation of CVE-2026-33663 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-33663?

1. PATCH: Upgrade to n8n 1.123.27 (v1 LTS), 2.13.3, or 2.14.1. These are the only full remediations. 2. ROTATE: Immediately rotate all httpBasicAuth, httpHeaderAuth, and httpQueryAuth credentials stored on the instance — assume they are compromised if the instance has had non-owner members. 3. AUDIT: Review n8n execution logs for unexpected workflow executions by member-role users against credentials they do not own. 4. RESTRICT (if patch delayed): Limit instance access to fully trusted users only; remove or suspend member-role accounts that are not operationally required. 5. DETECT: Alert on workflow executions that reference credentials not owned by the executing user's project; monitor downstream services (OpenAI, Slack, etc.) for unusual API activity. 6. ENTERPRISE: If on Community Edition with multi-user requirements, evaluate migration to Enterprise Edition which has additional permission gates that independently block this attack chain.

Q: What systems are affected by CVE-2026-33663?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Workflow automation / orchestration, API integrations, Multi-tenant LLM pipelines, RAG pipelines with external data connectors.

Q: What is the CVSS score for CVE-2026-33663?

CVE-2026-33663 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.39%.

CISO Take

Any authenticated member on a Community Edition n8n instance can exfiltrate plaintext HTTP credentials (API keys, passwords, bearer tokens) belonging to other users via a chained authorization flaw — no admin needed, no interaction from the victim. Upgrade immediately to n8n 1.123.27, 2.13.3, or 2.14.1 and rotate all httpBasicAuth, httpHeaderAuth, and httpQueryAuth credentials stored on the instance regardless of upgrade timing. Enterprise Edition is not affected.

What is the risk?

CVSS 10.0 with network attack vector, low complexity, and no user interaction makes this maximally exploitable. The attack requires only a valid member account — the lowest trust level on the platform. While EPSS (0.00019) is low at time of publication, the technique is simple enough that any member who reads the advisory can reproduce it. Exposure is high for any organization using n8n Community Edition with multiple users, which is the default deployment model for AI workflow automation teams integrating third-party services.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.27	`1.123.27`
193.4K OpenSSF 6.6 Pushed 7d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

10.0 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 31% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade to n8n 1.123.27 (v1 LTS), 2.13.3, or 2.14.1. These are the only full remediations.
ROTATE

Immediately rotate all httpBasicAuth, httpHeaderAuth, and httpQueryAuth credentials stored on the instance — assume they are compromised if the instance has had non-owner members.
AUDIT

Review n8n execution logs for unexpected workflow executions by member-role users against credentials they do not own.
RESTRICT (if patch delayed): Limit instance access to fully trusted users only; remove or suspend member-role accounts that are not operationally required.
DETECT

Alert on workflow executions that reference credentials not owned by the executing user's project; monitor downstream services (OpenAI, Slack, etc.) for unusual API activity.
ENTERPRISE

If on Community Edition with multi-user requirements, evaluate migration to Enterprise Edition which has additional permission gates that independently block this attack chain.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Data Leakage Agent Framework API AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0085.001 - AI Agent Tools AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System

ISO 42001

A.6.1.2 - Information access restriction A.9.4 - AI system security

NIST AI RMF

GOVERN-1.7 - Processes and procedures are in place for decommissioning and phasing out AI systems MANAGE-2.2 - Mechanisms to sustain deployment-phase AI risk management

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-33663?

Any authenticated member on a Community Edition n8n instance can exfiltrate plaintext HTTP credentials (API keys, passwords, bearer tokens) belonging to other users via a chained authorization flaw — no admin needed, no interaction from the victim. Upgrade immediately to n8n 1.123.27, 2.13.3, or 2.14.1 and rotate all httpBasicAuth, httpHeaderAuth, and httpQueryAuth credentials stored on the instance regardless of upgrade timing. Enterprise Edition is not affected.

Is CVE-2026-33663 actively exploited?

No confirmed active exploitation of CVE-2026-33663 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33663?

1. PATCH: Upgrade to n8n 1.123.27 (v1 LTS), 2.13.3, or 2.14.1. These are the only full remediations. 2. ROTATE: Immediately rotate all httpBasicAuth, httpHeaderAuth, and httpQueryAuth credentials stored on the instance — assume they are compromised if the instance has had non-owner members. 3. AUDIT: Review n8n execution logs for unexpected workflow executions by member-role users against credentials they do not own. 4. RESTRICT (if patch delayed): Limit instance access to fully trusted users only; remove or suspend member-role accounts that are not operationally required. 5. DETECT: Alert on workflow executions that reference credentials not owned by the executing user's project; monitor downstream services (OpenAI, Slack, etc.) for unusual API activity. 6. ENTERPRISE: If on Community Edition with multi-user requirements, evaluate migration to Enterprise Edition which has additional permission gates that independently block this attack chain.

What systems are affected by CVE-2026-33663?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Workflow automation / orchestration, API integrations, Multi-tenant LLM pipelines, RAG pipelines with external data connectors.

What is the CVSS score for CVE-2026-33663?

CVE-2026-33663 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.39%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksWorkflow automation / orchestrationAPI integrationsMulti-tenant LLM pipelinesRAG pipelines with external data connectors

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0085.001 AI Agent Tools

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9

ISO 42001: A.6.1.2, A.9.4

NIST AI RMF: GOVERN-1.7, MANAGE-2.2

OWASP LLM Top 10: LLM02, LLM06

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with the `global:member` role could exploit chained authorization flaws in n8n's credential pipeline to steal plaintext secrets from generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) belonging to other users on the same instance. The attack abuses a name-based credential resolution path that does not enforce ownership or project scope, combined with a bypass in the credentials permission checker that causes generic HTTP credential types to be skipped during pre-execution validation. Together, these flaws allow a member-role user to resolve another user's credential ID and execute a workflow that decrypts and uses that credential without authorization. Native integration credential types (e.g. `slackApi`, `openAiApi`, `postgres`) are not affected by this issue. This vulnerability affects Community Edition only. Enterprise Edition has additional permission gates on workflow creation and execution that independently block this attack chain. The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict instance access to fully trusted users only, and/or audit credentials stored on the instance and rotate any generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) that may have been exposed. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

A malicious insider or compromised member account on a shared n8n Community Edition instance used for AI pipeline orchestration performs the following: (1) Enumerates credential names via the n8n UI (names are visible to all users); (2) Constructs a minimal workflow using a generic HTTP Request node, referencing the victim's httpHeaderAuth credential by name via the name-based resolution path; (3) Executes the workflow — the credentials permission checker skips validation for generic HTTP credential types, so the credential is resolved and decrypted without ownership enforcement; (4) The plaintext Authorization header or API key appears in the workflow execution output, exfiltrated to an attacker-controlled endpoint. The entire attack requires no special tooling, no elevated privileges, and no victim interaction — only a browser and a member account.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key Primary CWE-639 Authorization Bypass Through User-Controlled Key Primary

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

[Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
[Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.