CVE-2026-33663: n8n Auth Bypass Vulnerability

CVE-2026-33663 Overview

CVE-2026-33663 is an authorization bypass vulnerability in n8n, an open source workflow automation platform. The vulnerability allows authenticated users with the global:member role to exploit chained authorization flaws in n8n's credential pipeline to steal plaintext secrets from generic HTTP credentials belonging to other users on the same instance.

Critical Impact
Authenticated attackers can exfiltrate plaintext secrets from httpBasicAuth, httpHeaderAuth, and httpQueryAuth credentials owned by other users, potentially leading to unauthorized access to external services and sensitive data exposure.

Affected Products

n8n versions prior to 2.14.1
n8n versions prior to 2.13.3
n8n versions prior to 1.123.27

Discovery Timeline

2026-03-25 - CVE CVE-2026-33663 published to NVD
2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-33663

Vulnerability Analysis

This vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), manifesting through a combination of two distinct authorization flaws in n8n's credential handling system. The attack chain specifically targets generic HTTP credential types (httpBasicAuth, httpHeaderAuth, httpQueryAuth) and requires only member-level authentication to execute.

The vulnerability is limited to the n8n Community Edition. The Enterprise Edition includes additional permission gates on workflow creation and execution that independently block this attack chain, providing defense-in-depth against this class of authorization bypass.

Native integration credential types such as slackApi, openAiApi, and postgres are not affected by this issue due to different validation paths in the credential handling code.

Root Cause

The root cause involves two interconnected flaws in the credential pipeline:

Name-based credential resolution - The system uses a credential resolution path that does not properly enforce ownership or project scope verification, allowing attackers to resolve credential IDs belonging to other users based on credential names.
Permission checker bypass - A flaw in the credentials permission checker causes generic HTTP credential types to be skipped during pre-execution validation, failing to verify that the executing user has authorization to access the resolved credential.

When combined, these flaws allow a member-role user to resolve another user's credential ID and then execute a workflow that decrypts and uses that credential without proper authorization checks.

Attack Vector

The attack is network-accessible and requires low privileges (authenticated global:member role) with no user interaction needed. An attacker exploits the vulnerability through the following general approach:

The attacker, authenticated as a global:member user, identifies or guesses the name of a generic HTTP credential belonging to another user
Through the flawed name-based resolution mechanism, the attacker resolves the target credential's ID
The attacker creates and executes a workflow that references this credential ID
Due to the permission checker bypass for generic HTTP credential types, the pre-execution validation fails to block unauthorized access
The workflow executes, decrypting and using the victim's credential, allowing the attacker to capture the plaintext secrets

For detailed technical information about the exploitation mechanics, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-33663

Indicators of Compromise

Unexpected workflow executions by member-role users that reference credentials they do not own
Workflow creation or modification events containing credential references to httpBasicAuth, httpHeaderAuth, or httpQueryAuth types from other users
Anomalous credential resolution queries that cross user or project boundaries
Failed authentication attempts to external services using credentials that were not legitimately shared

Detection Strategies

Monitor n8n audit logs for workflow executions that access credentials not owned by the executing user
Implement alerting on credential resolution events that involve cross-user or cross-project access patterns
Review recently created or modified workflows for suspicious credential references, particularly those targeting generic HTTP credential types
Correlate workflow execution events with credential access patterns to identify potential abuse

Monitoring Recommendations

Enable comprehensive audit logging for all credential access and workflow execution events in n8n
Implement real-time monitoring for any workflow that accesses credentials of types httpBasicAuth, httpHeaderAuth, or httpQueryAuth
Establish baseline patterns for normal credential usage and alert on deviations
Review member-role user activity logs for unusual workflow creation or execution patterns

How to Mitigate CVE-2026-33663

Immediate Actions Required

Upgrade n8n to version 1.123.27, 2.13.3, or 2.14.1 or later immediately
Audit all generic HTTP credentials (httpBasicAuth, httpHeaderAuth, httpQueryAuth) stored on affected instances
Rotate any generic HTTP credentials that may have been exposed to unauthorized users
Review workflow execution logs to identify potential unauthorized credential access

Patch Information

The n8n development team has released security patches addressing this vulnerability in versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to fully remediate the vulnerability. Patch details and additional security information are available in the GitHub Security Advisory.

Workarounds

Restrict n8n instance access to fully trusted users only until patching is complete
Audit and rotate all generic HTTP credentials (httpBasicAuth, httpHeaderAuth, httpQueryAuth) that may have been exposed
Consider temporarily disabling member-role access to workflow creation and execution capabilities
Migrate to n8n Enterprise Edition if possible, which includes additional permission gates that block this attack chain
Monitor for suspicious credential access patterns while implementing the upgrade

Note: These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures until the official patches can be applied.

CVE-2026-33663 Overview

Critical Impact
Authenticated attackers can exfiltrate plaintext secrets from httpBasicAuth, httpHeaderAuth, and httpQueryAuth credentials owned by other users, potentially leading to unauthorized access to external services and sensitive data exposure.

Affected Products

n8n versions prior to 2.14.1
n8n versions prior to 2.13.3
n8n versions prior to 1.123.27

Discovery Timeline

2026-03-25 - CVE CVE-2026-33663 published to NVD
2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-33663

Vulnerability Analysis

Native integration credential types such as slackApi, openAiApi, and postgres are not affected by this issue due to different validation paths in the credential handling code.

Root Cause

The root cause involves two interconnected flaws in the credential pipeline:

Name-based credential resolution - The system uses a credential resolution path that does not properly enforce ownership or project scope verification, allowing attackers to resolve credential IDs belonging to other users based on credential names.
Permission checker bypass - A flaw in the credentials permission checker causes generic HTTP credential types to be skipped during pre-execution validation, failing to verify that the executing user has authorization to access the resolved credential.

When combined, these flaws allow a member-role user to resolve another user's credential ID and then execute a workflow that decrypts and uses that credential without proper authorization checks.

Attack Vector

The attacker, authenticated as a global:member user, identifies or guesses the name of a generic HTTP credential belonging to another user
Through the flawed name-based resolution mechanism, the attacker resolves the target credential's ID
The attacker creates and executes a workflow that references this credential ID
Due to the permission checker bypass for generic HTTP credential types, the pre-execution validation fails to block unauthorized access
The workflow executes, decrypting and using the victim's credential, allowing the attacker to capture the plaintext secrets

For detailed technical information about the exploitation mechanics, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-33663

Indicators of Compromise

Unexpected workflow executions by member-role users that reference credentials they do not own
Workflow creation or modification events containing credential references to httpBasicAuth, httpHeaderAuth, or httpQueryAuth types from other users
Anomalous credential resolution queries that cross user or project boundaries
Failed authentication attempts to external services using credentials that were not legitimately shared

Detection Strategies

Monitor n8n audit logs for workflow executions that access credentials not owned by the executing user
Implement alerting on credential resolution events that involve cross-user or cross-project access patterns
Review recently created or modified workflows for suspicious credential references, particularly those targeting generic HTTP credential types
Correlate workflow execution events with credential access patterns to identify potential abuse

Monitoring Recommendations

Enable comprehensive audit logging for all credential access and workflow execution events in n8n
Implement real-time monitoring for any workflow that accesses credentials of types httpBasicAuth, httpHeaderAuth, or httpQueryAuth
Establish baseline patterns for normal credential usage and alert on deviations
Review member-role user activity logs for unusual workflow creation or execution patterns

How to Mitigate CVE-2026-33663

Immediate Actions Required

Upgrade n8n to version 1.123.27, 2.13.3, or 2.14.1 or later immediately
Audit all generic HTTP credentials (httpBasicAuth, httpHeaderAuth, httpQueryAuth) stored on affected instances
Rotate any generic HTTP credentials that may have been exposed to unauthorized users
Review workflow execution logs to identify potential unauthorized credential access

Patch Information

Workarounds

Restrict n8n instance access to fully trusted users only until patching is complete
Audit and rotate all generic HTTP credentials (httpBasicAuth, httpHeaderAuth, httpQueryAuth) that may have been exposed
Consider temporarily disabling member-role access to workflow creation and execution capabilities
Migrate to n8n Enterprise Edition if possible, which includes additional permission gates that block this attack chain
Monitor for suspicious credential access patterns while implementing the upgrade

Note: These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures until the official patches can be applied.

CVE-2026-33663: n8n Auth Bypass Vulnerability

CVE-2026-33663 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33663

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33663

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33663

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-33663: n8n Auth Bypass Vulnerability

CVE-2026-33663 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33663

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33663

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33663

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform