CVE-2026-59209 in n8n
Summary
by MITRE • 07/09/2026
n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an authenticated member with use-only editor access to a shared workflow could read credential-populated headers exposed via the $request object inside an HTTP Request node's pagination expression and exfiltrate the secret through item data. This issue is fixed in versions 1.123.61, 2.27.4, and 2.28.1.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability in n8n workflow automation platform represents a critical privilege escalation and data exfiltration flaw that affects users with limited editor access. This issue stems from insufficient access controls within the HTTP Request node's pagination expression functionality, where credential-populated headers are inadvertently exposed to authenticated users who should only have read-only permissions. The flaw allows attackers to exploit the $request object to access sensitive header information that contains authentication tokens or other confidential data, creating a significant security risk for organizations relying on shared workflow environments.
The technical implementation of this vulnerability occurs within the pagination expression evaluation process where n8n fails to properly sanitize or restrict access to credential data that flows through HTTP headers. When an authenticated user with use-only editor privileges attempts to configure pagination parameters for an HTTP Request node, the system incorrectly exposes header values containing secrets through the item data structure. This exposure happens specifically during the evaluation of pagination expressions where the $request object is processed, allowing attackers to extract sensitive information from headers that should remain protected.
From an operational impact perspective, this vulnerability creates a severe risk for organizations using shared workflows in production environments where multiple team members require different access levels. The flaw undermines the principle of least privilege by allowing users with minimal permissions to escalate their access and potentially gain unauthorized access to systems or data protected by the credentials in question. Security teams face increased risk of credential compromise, potential lateral movement within networks, and unauthorized access to sensitive resources that rely on the exposed authentication headers.
The vulnerability aligns with CWE-284 Access Control issues and maps to ATT&CK technique T1566 Credential Access through the exploitation of insufficient authorization controls. Organizations using n8n versions prior to 1.123.61, 2.27.4, and 2.28.1 should immediately implement mitigations including updating to the patched versions, reviewing access controls for shared workflows, implementing additional monitoring for pagination expression usage, and conducting security audits of existing workflow configurations that may expose sensitive data through HTTP headers. The fix addresses the root cause by properly sanitizing header information in pagination expressions and ensuring that credential data remains restricted to appropriate users with explicit authorization.
This vulnerability demonstrates the importance of proper input validation and access control implementation in workflow automation platforms where multiple users interact with shared resources. Security practitioners should consider implementing additional safeguards such as role-based access controls, automated monitoring for suspicious pagination expression usage, and regular security assessments of workflow configurations to prevent similar issues in other automation platforms. The remediation process requires careful attention to ensure that all affected workflows are updated and that existing credential data is rotated appropriately to prevent exploitation of the vulnerability during the transition period.