Vulnerabilities ›

CVE-2026-42226

High

CWE-862 — Weakness Type

                    Published: May 4, 2026                      ·  Modified: May 11, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supply a foreign credential ID in the request body, causing the backend to decrypt and use that credential in a helper execution path where the caller also controls the destination URL. This allowed the caller to force the backend to authenticate against attacker-controlled infrastructure using a credential belonging to another user, effectively exfiltrating a reusable API key. The issue is not limited to any single node type; any node that resolves credentials dynamically through these endpoints may be affected. This issue has been patched in versions 1.123.33, 2.17.5, and 2.18.0.

🤖 AI Executive Summary

CVE-2026-42226 is a critical authorization bypass vulnerability in n8n workflow automation platform affecting versions before 1.123.33 and 2.17.5. Authenticated users can exploit insufficient credential authorization checks to exfiltrate API keys and credentials from other users by manipulating dynamic-node-parameters endpoints. This allows attackers to force backend authentication against attacker-controlled infrastructure using stolen credentials, posing significant risk to organizations using n8n for critical workflow automation.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 8, 2026 13:37

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using n8n for workflow automation—particularly in banking (SAMA-regulated institutions), government agencies (NCA oversight), healthcare systems, energy sector (ARAMCO and subsidiaries), and telecommunications (STC, Mobily)—face critical risk of credential exfiltration. The vulnerability enables lateral movement and unauthorized access to downstream systems authenticated via stolen credentials. Financial institutions and critical infrastructure operators are at highest risk due to the sensitivity of credentials used in automated workflows connecting to core banking, SCADA, and operational systems.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare and Medical Services Energy and Utilities Telecommunications Manufacturing Retail and E-commerce Insurance

🎯 MITRE ATT&CK Techniques

T1110 - Brute Force T1187 - Forced Authentication T1556 - Modify Authentication Process T1556.006 - Multi-Factor Authentication Interception T1528 - Steal Application Access Token T1621 - Multi-Stage Channels T1040 - Network Sniffing T1557 - Man-in-the-Middle T1111 - Multi-Factor Authentication Interception T1199 - Trusted Relationship

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all n8n instances in your environment and document their versions

2. Restrict access to shared workflows containing sensitive credentials to trusted users only

3. Audit workflow execution logs for suspicious dynamic-node-parameters requests with foreign credential IDs

4. Rotate all API keys and credentials that may have been exposed through n8n workflows

5. Implement network segmentation to limit n8n backend outbound connections



PATCHING GUIDANCE:

1. Upgrade n8n to version 1.123.33, 2.17.5, or 2.18.0 immediately

2. Test patches in non-production environments first

3. Plan maintenance windows for production upgrades



COMPENSATING CONTROLS (if immediate patching not possible):

1. Disable dynamic credential resolution features in n8n configuration

2. Implement API gateway authentication logging and alerting for unusual credential usage patterns

3. Use read-only API keys with minimal permissions in n8n workflows

4. Implement IP whitelisting for n8n backend outbound connections

5. Monitor for unauthorized credential access attempts



DETECTION RULES:

1. Alert on dynamic-node-parameters API calls with credential IDs not owned by the requesting user

2. Monitor for n8n backend connections to non-whitelisted external IPs

3. Track credential decryption events in n8n audit logs

4. Alert on multiple failed authentication attempts using n8n-sourced credentials

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع مثيلات n8n في بيئتك وقثّق إصداراتها

2. قيّد الوصول إلى سير العمل المشترك الذي يحتوي على بيانات اعتماديّة حساسة للمستخدمين الموثوقين فقط

3. دقّق في سجلات تنفيذ سير العمل للطلبات المريبة من dynamic-node-parameters بمعرفات بيانات اعتماديّة أجنبية

4. قم بتدوير جميع مفاتيح API والبيانات الاعتماديّة التي قد تكون قد تعرضت من خلال سير عمل n8n

5. طبّق تقسيم الشبكة لتحديد اتصالات n8n الخلفية الصادرة

إرشادات التصحيح:

1. قم بترقية n8n إلى الإصدار 1.123.33 أو 2.17.5 أو 2.18.0 فوراً

2. اختبر التصحيحات في بيئات غير الإنتاج أولاً

3. خطّط نوافذ الصيانة لترقيات الإنتاج

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. عطّل ميزات دقة البيانات الاعتماديّة الديناميكية في تكوين n8n

2. طبّق تسجيل التنبيهات لبوابة API للأنماط غير المعتادة لاستخدام البيانات الاعتماديّة

3. استخدم مفاتيح API للقراءة فقط بأقل صلاحيات في سير عمل n8n

4. طبّق القائمة البيضاء للعناوين IP لاتصالات n8n الخلفية الصادرة

5. راقب محاولات الوصول غير المصرح به للبيانات الاعتماديّة

قواعد الكشف:

1. تنبيه على استدعاءات API dynamic-node-parameters بمعرفات بيانات اعتماديّة لا يملكها المستخدم الطالب

2. راقب اتصالات n8n الخلفية بعناوين IP خارجية غير مدرجة في القائمة البيضاء

3. تتبع أحداث فك تشفير البيانات الاعتماديّة في سجلات تدقيق n8n

4. تنبيه على محاولات مصادقة متعددة فاشلة باستخدام بيانات اعتماديّة من n8n

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 - Access Control and Authentication 5.2.1 - Authorization and Access Rights Management 5.3.1 - Credential Management and Protection 6.1.1 - Audit Logging and Monitoring 6.2.1 - Incident Detection and Response

🔵 SAMA CSF

ID.AM-1 - Asset Management PR.AC-1 - Access Control PR.AC-2 - Physical and Logical Access Control DE.AE-1 - Anomalies and Events Detection RS.AN-1 - Incident Analysis

🟡 ISO 27001:2022

A.5.2.1 - User Registration and De-registration A.5.2.2 - User Access Provisioning A.5.2.3 - Access Rights Review A.5.3.1 - Password Management A.8.2.1 - User Endpoint Devices A.8.3.1 - Information Access Restriction A.12.4.1 - Event Logging

🟣 PCI DSS v4.0.1

Requirement 2.1 - Default Security Parameters Requirement 6.2 - Security Patches Requirement 7 - Restrict Access to Data Requirement 8.1 - User Identification and Authentication Requirement 10.2 - User Access Logging

🔗 References & Sources 1

🔗

https://github.com/n8n-io/n8n/security/advisories/GHSA-r4v6-9fqc-w5jr

security-advisories@github.com

Vendor Advisory

📦 Affected Products / CPE 2 entries

n8n:n8n

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-862

EPSS0.05%

Exploit No

Patch ✗ No

Published 2026-05-04

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-862

🏢 Vendor Advisories

🔗 https://github.com/n8n-io/n8n/security/advisories/GH...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-42226

💬 Comments

Introduce Yourself

Sign In Required