cvedb.io
CVE-2026-59254
UNKNOWN · CVSS n/a
EPSS exploitation probability: 0%
Published 2026-07-15T12:18:17.663 · Last modified 2026-07-15T12:18:17.663

Summary

n8n before 2.28.1 contains an information disclosure vulnerability where external secrets are incorrectly resolved in workflow node expressions outside credentials scope. Authenticated project editors can read plaintext external secret values by referencing them in node expressions without requiring explicit secrets access permissions.

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.