Insufficiently Protected Credentials Affecting n8n-core package, versions <1.122.35>=2.0.0-rc.0 <2.27.3>=2.28.0 <2.28.1


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.29% (22nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-N8NCORE-17954281
  • published12 Jul 2026
  • disclosed9 Jul 2026
  • creditsm1ee

Introduced: 9 Jul 2026

NewCVE-2026-59209  (opens in a new tab)
CWE-522  (opens in a new tab)

How to fix?

Upgrade n8n-core to version 1.122.35, 2.27.3, 2.28.1 or higher.

Overview

n8n-core is a Core functionality of n8n

Affected versions of this package are vulnerable to Insufficiently Protected Credentials through the HTTP Request V3 pagination expression handling in packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts and packages/core/src/execution-engine/node-execution-context/utils/request-helpers/pagination.ts. An authenticated user with access to a shared workflow can read credential-populated request headers by supplying a pagination expression that accesses $request.headers. When an HTTP Request node uses HTTP Header Auth credentials and pagination is enabled, the expression engine exposes the live request object with the secret-bearing headers attached. The attacker can copy that secret into item data and exfiltrate it through later workflow steps, exposing shared credentials to unauthorized workflow editors.

Notes

  • This only applies when N8N_EXPRESSION_ENGINE=vm is set; the advisory’s leak path depends on the VM-based expression runtime exposing $request during pagination evaluation.
  • The affected workflow must use HTTP Header Auth on the paginated request; the secret shown in $request.headers comes from credential-populated request headers, not from ordinary request data.

Workarounds

  • Restrict workflow sharing to fully trusted users only.
  • Avoid sharing credentials with use-only access to untrusted users on workflows that use HTTP Request nodes with pagination enabled.

CVSS Base Scores

version 4.0
version 3.1