PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59259 n8n CVE debrief

CVE-2026-59259 is a permission bypass vulnerability in n8n's external secrets handling. An authenticated user with limited permissions can embed external secret references into credentials, potentially exposing secret values they are not authorized to access. This issue only affects instances where an external secrets provider is configured and Advanced Permissions are in use. The vulnerability has a CVSS score of 6 and a severity of MEDIUM.

Vendor
n8n
Product
Unknown
CVSS
MEDIUM 6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-16
Advisory published
2026-07-15
Advisory updated
2026-07-16

Who should care

Users of n8n versions before 1.123.61, 2.27.4, and 2.28.1 who have Advanced Permissions in use and an external secrets provider configured should be aware of this vulnerability and take steps to mitigate it. This includes administrators and security teams responsible for n8n deployments, as well as operators who may be impacted by the vulnerability.

Technical summary

The vulnerability is caused by a mismatch between the static validation check and the runtime expression engine in n8n's external secrets handling. This allows an authenticated user with credential create or update permissions but without the externalSecret:list scope to embed external secret references into credentials. These references resolve at workflow execution time, potentially exposing secret values the user is not authorized to access. The issue only affects instances with an external secrets provider configured and Advanced Permissions in use.

Defensive priority

Medium

Recommended defensive actions

  • Update to a patched version of n8n (1.123.61, 2.27.4, or 2.28.1) as soon as possible.
  • Review and restrict user permissions to ensure that only authorized users have access to sensitive data.
  • Monitor workflow execution and external secret access to detect potential exploitation.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-15T12:18:17.797Z and has been modified since then. The NVD entry is currently Analyzed. The vulnerability has a CVSS score of 6 and a severity of MEDIUM. This information is based on the NVD entry and the CVE record. The details provided are limited to publicly available data and may not reflect the full scope of the vulnerability. Users should verify the information with the vendor or other trusted sources for a comprehensive understanding.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T12:18:17.797Z and has not been modified since then. The NVD entry is currently Analyzed.