CVE-2026-59259 in n8n
Summary
by MITRE • 07/15/2026
n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expression engine. An authenticated user with credential create or update permissions but without the externalSecret:list scope can embed external secret references into credentials in forms the static validation does not detect; these references resolve at workflow execution time, exposing secret values the user is not authorized to access. This issue only affects instances where an external secrets provider is configured and Advanced Permissions are in use.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
This vulnerability represents a critical permission bypass flaw in n8n workflow automation platform that undermines the security model when external secrets integration is enabled. The issue stems from a fundamental inconsistency between static validation mechanisms and runtime execution behavior, creating a dangerous gap where unauthorized access to sensitive data can occur. The vulnerability specifically affects versions prior to 1.123.61, 2.27.4, and 2.28.1, indicating this was a recognized security flaw that required immediate patching. When external secrets providers are configured within the platform and Advanced Permissions are enabled, authenticated users can exploit this weakness through credential manipulation.
The technical exploitation occurs through a mismatch in validation logic where static checks fail to detect malicious credential configurations that are subsequently resolved at runtime. An attacker with minimal privileges - specifically those possessing credential create or update permissions but lacking the externalSecret:list scope - can embed references to external secrets within credential forms. These embedded references pass initial static validation checks because the system's pre-execution verification does not properly account for dynamic expression resolution patterns. However, during actual workflow execution, these references are resolved and expose secret values that should remain inaccessible to the unauthorized user, effectively bypassing intended access controls.
This vulnerability directly relates to CWE-284 which addresses improper access control mechanisms, specifically targeting weaknesses in authorization enforcement. The flaw demonstrates how static analysis validation can be circumvented by runtime expression evaluation, creating a pathway for privilege escalation through seemingly innocuous credential modifications. From an operational perspective, this issue poses significant risk to organizations relying on n8n for workflow automation, particularly those handling sensitive data where external secrets integration is employed. The impact extends beyond simple information disclosure as it allows unauthorized users to gain access to potentially critical system credentials, API keys, or other sensitive materials stored in external secret management systems.
The vulnerability's exploitation requires specific environmental conditions including the presence of configured external secrets providers and the activation of Advanced Permissions within n8n. This constraint limits the attack surface but does not eliminate the risk entirely, as organizations with these configurations face potential exposure when users possess credential modification privileges. The issue highlights a broader class of problems in modern security systems where static validation cannot adequately account for dynamic runtime behavior, particularly in platforms that support expression-based configuration and workflow automation. Organizations should immediately implement the available patches to address this vulnerability and consider reviewing their external secrets integration policies to minimize potential exposure.
From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques through credential manipulation and access control bypass methods. The attack vector leverages legitimate platform functionality while exploiting implementation gaps in authorization enforcement mechanisms. Security teams should monitor for unusual credential modification patterns and implement additional logging around external secret references within credential configurations to detect potential exploitation attempts. The fix implemented in the patched versions addresses the validation mismatch by ensuring static checks properly account for runtime expression resolution, thereby maintaining consistent access control enforcement throughout the credential lifecycle.