The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade n8n-core to version 1.122.35, 2.27.3, 2.28.1 or higher.
n8n-core is a Core functionality of n8n
Affected versions of this package are vulnerable to Insufficiently Protected Credentials through the HTTP Request V3 pagination expression handling in packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts and packages/core/src/execution-engine/node-execution-context/utils/request-helpers/pagination.ts. An authenticated user with access to a shared workflow can read credential-populated request headers by supplying a pagination expression that accesses $request.headers. When an HTTP Request node uses HTTP Header Auth credentials and pagination is enabled, the expression engine exposes the live request object with the secret-bearing headers attached. The attacker can copy that secret into item data and exfiltrate it through later workflow steps, exposing shared credentials to unauthorized workflow editors.
Notes
N8N_EXPRESSION_ENGINE=vm is set; the advisory’s leak path depends on the VM-based expression runtime exposing $request during pagination evaluation.$request.headers comes from credential-populated request headers, not from ordinary request data.Workarounds