AI Threat Alert

CVE-2026-33722: n8n: secrets vault bypass exposes credentials to low-priv users

GHSA-fxcw-h3qj-8m8p MEDIUM
Published March 25, 2026
CISO Take

Any authenticated n8n user can retrieve plaintext secrets from connected vaults (HashiCorp Vault, AWS Secrets Manager, etc.) by referencing secret names in a credential — bypassing the explicit list-secrets permission. In AI-heavy deployments, this typically means LLM API keys (OpenAI, Anthropic, Azure OpenAI), vector DB credentials, and service tokens are at risk. Patch to 1.123.23+ or 2.6.4+ immediately; if that's not possible, disable external secrets integration and restrict n8n access to admin/owner roles only.

What is the risk?

CVSS 5.3 understates operational risk for AI environments. The AC:H component reflects the need to know or guess a secret name — but in n8n workflows, secret names are frequently predictable conventions (OPENAI_API_KEY, LANGCHAIN_API_KEY, DATABASE_URL). C:H (full confidentiality impact) with PR:L means any contractor or developer with a basic n8n login can exfiltrate high-value API credentials. Organizations using n8n as an AI orchestration layer with connected vaults face credential compromise that could cascade to LLM abuse, data exfiltration from RAG pipelines, or unauthorized access to downstream AI services. No active exploitation observed; EPSS remains near-zero.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm < 1.123.23 1.123.23
187.3K OpenSSF 6.1 16 dependents Pushed 3d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1
5.3 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 3% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC High
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

5 steps

  1. PATCH

    Upgrade to n8n 1.123.23 or 2.6.4 as soon as possible — no functional workaround fully closes the exposure.

  2. ROTATE

    Assume any secrets accessible via external vault integration may be compromised; rotate LLM API keys, DB credentials, and service tokens proactively.

  3. AUDIT

    Review n8n credential logs and vault access logs for unexpected retrievals by non-admin users.

  4. IF UNPATCHED

    Disable external secrets integration in n8n settings, or restrict instance access to admin/owner roles only — note this does not fully remediate per vendor advisory.

  5. DETECT

    Alert on credential save events by non-privileged n8n users; monitor for anomalous API usage patterns on connected LLM/AI service accounts.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Data Leakage Agent Framework API AML.T0012 AML.T0049 AML.T0055 AML.T0083 AML.T0106

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.2 - Access control for AI systems and resources A.9.4 - Protection of AI system confidentiality
NIST AI RMF
GOVERN 6.1 - Policies and procedures are in place for AI risk management MANAGE 2.2 - Mechanisms are in place to identify and respond to AI risks
OWASP LLM Top 10
LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-33722?

Any authenticated n8n user can retrieve plaintext secrets from connected vaults (HashiCorp Vault, AWS Secrets Manager, etc.) by referencing secret names in a credential — bypassing the explicit list-secrets permission. In AI-heavy deployments, this typically means LLM API keys (OpenAI, Anthropic, Azure OpenAI), vector DB credentials, and service tokens are at risk. Patch to 1.123.23+ or 2.6.4+ immediately; if that's not possible, disable external secrets integration and restrict n8n access to admin/owner roles only.

Is CVE-2026-33722 actively exploited?

No confirmed active exploitation of CVE-2026-33722 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33722?

1. PATCH: Upgrade to n8n 1.123.23 or 2.6.4 as soon as possible — no functional workaround fully closes the exposure. 2. ROTATE: Assume any secrets accessible via external vault integration may be compromised; rotate LLM API keys, DB credentials, and service tokens proactively. 3. AUDIT: Review n8n credential logs and vault access logs for unexpected retrievals by non-admin users. 4. IF UNPATCHED: Disable external secrets integration in n8n settings, or restrict instance access to admin/owner roles only — note this does not fully remediate per vendor advisory. 5. DETECT: Alert on credential save events by non-privileged n8n users; monitor for anomalous API usage patterns on connected LLM/AI service accounts.

What systems are affected by CVE-2026-33722?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, AI API integrations, secrets management, RAG pipelines.

What is the CVSS score for CVE-2026-33722?

CVE-2026-33722 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 2.6.4 and 1.123.23, an authenticated user without permission to list external secrets could reference a secret by the external name in a credential and retrieve its plaintext value when saving the credential. This bypassed the `externalSecret:list` permission check and allowed access to secrets stored in connected vaults without admin or owner privileges. This issue requires the instance to have an external secrets vault configured. The attacker must know or be able to guess the name of a target secret. The issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict n8n access to fully trusted users only, and/or disable external secrets integration until the patch can be applied. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a low-privilege n8n account — a contractor, intern, or compromised developer credential — navigates to credential creation. They craft a credential that references an external secret by its likely name (e.g., 'OPENAI_API_KEY', 'PINECONE_API_KEY', 'ANTHROPIC_API_KEY'). Upon saving, n8n resolves the secret name against the connected vault and returns the plaintext value in the API response — bypassing the externalSecret:list permission check entirely. The attacker retrieves the plaintext credentials from the response, then uses them independently: burning through LLM API quotas, querying vector databases for sensitive indexed documents, or selling credentials. Since the operation mirrors a normal workflow configuration action, it generates minimal suspicious log noise.

Weaknesses (CWE)

CWE-863 Primary CWE-863 Incorrect Authorization Primary

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
March 25, 2026
Last Modified
March 27, 2026
First Seen
March 25, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed