CVE-2026-33722: n8n Has External Secrets Authorization Bypass in Credential Saving

March 25, 2026

An authenticated user without permission to list external secrets could reference a secret by the external name in a credential and retrieve its plaintext value when saving the credential. This bypassed the externalSecret:list permission check and allowed access to secrets stored in connected vaults without admin or owner privileges.

This issue requires the instance to have an external secrets vault configured.
The attacker must know or be able to guess the name of a target secret.

References

github.com/advisories/GHSA-fxcw-h3qj-8m8p
github.com/n8n-io/n8n
github.com/n8n-io/n8n/security/advisories/GHSA-fxcw-h3qj-8m8p
nvd.nist.gov/vuln/detail/CVE-2026-33722

Code Behaviors & Features

Detect and mitigate CVE-2026-33722 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →