n8n Workflow Automation Platform, Credential Header Information Disclosure via Pagination Expression, CVE-2026-59209 (Critical) -DC-Jul2026-915

Listen to this Post

How CVE-2026-59209 Works

n8n is an open-source workflow automation platform that allows users to create complex integrations between various services and applications. One of its core components is the HTTP Request node, which enables workflows to interact with external APIs and web services. This node supports advanced features such as pagination, which allows workflows to handle large datasets by iterating through multiple API responses.
The vulnerability, identified as CVE-2026-59209, resides in the pagination expression functionality of the HTTP Request node. In n8n, expressions are JavaScript-like code snippets that can be used to dynamically compute values within a workflow. The `$request` object is a special variable available within these expressions, providing access to the details of the outgoing HTTP request, including headers.
The security flaw arises when an authenticated user with only “use-only” editor access to a shared workflow leverages this feature. In a typical n8n deployment, administrators can share workflows with team members while restricting their permissions. A “use-only” editor, in theory, can execute the workflow but should not be able to view or modify its underlying sensitive configuration, such as API keys or authentication tokens stored in credentials.
However, due to insufficient access controls, the system fails to properly sanitize or restrict access to credential data that flows through HTTP headers during the evaluation of pagination expressions. When a “use-only” editor configures pagination parameters for an HTTP Request node, the system incorrectly exposes the header values containing secrets through the item data structure.
Specifically, the exposure occurs when the pagination expression is processed and the `$request` object is evaluated. An attacker with these minimal privileges can craft a pagination expression to read the credential-populated headers from the `$request` object. They can then exfiltrate these secrets by including them in the workflow’s output data, effectively bypassing the intended privilege restrictions.
This vulnerability fundamentally undermines the principle of least privilege, allowing a user with minimal permissions to escalate their access and potentially gain unauthorized access to systems or data protected by the exposed credentials. This creates a significant security risk for organizations that rely on shared workflow environments, as it could lead to credential compromise, lateral movement within networks, and unauthorized access to sensitive resources. The issue aligns with CWE-284 (Improper Access Control).

DailyCVE Form:

Platform: n8n
Version: <1.123.61,<2.27.4,<2.28.1
Vulnerability: Credential Header Leak
Severity: Critical
date: 2026-07-09

Prediction: 2026-07-09 (Patched)

What Undercode Say:

Analytics of the vulnerability reveals a classic case of overly permissive expression evaluation exposing internal objects. The `$request` object should not be accessible in pagination expressions for users with read-only permissions. The fix involves sanitizing the `$request` object within the expression context to remove or redact sensitive header information for unauthorized users.
To check if your n8n instance is vulnerable, you can use the following cURL command to probe the version:

curl -s http://your-n8n-instance:5678/healthz | grep version

A vulnerable instance will show a version prior to 1.123.61, 2.27.4, or 2.28.1.

Exploit:

An authenticated attacker with “use-only” editor access to a shared workflow can exploit this by:
1. Navigating to a shared workflow that contains an HTTP Request node with credentials.

2. Editing the pagination settings of that node.

  1. Injecting a malicious expression to read the `$request` object.
  2. Exfiltrating the headers (containing tokens) by placing them in the workflow’s output data.

A sample malicious pagination expression could be:

// This expression would leak the entire request object, including headers.
return $request.headers;

By setting this as the pagination expression, the attacker can cause the workflow to output the sensitive headers as part of its item data, which they can then view.

Protection:

The primary and most effective protection is to upgrade to a patched version of n8n immediately. The fixed versions are 1.123.61, 2.27.4, and `2.28.1` or later.
If an immediate upgrade is not possible, consider these temporary mitigations:
Restrict Editor Access: Limit the number of users with “use-only” or any editor-level access to shared workflows.
Audit Workflows: Review all existing workflows for HTTP Request nodes and ensure they are not using credentials in a way that could be exposed.
Monitor Logs: Implement monitoring for suspicious pagination expression usage or unusual workflow executions.

Impact:

The impact of this vulnerability is severe:

Credential Theft: Attackers can steal authentication tokens, API keys, and other secrets stored in n8n credentials.
Privilege Escalation: Users with minimal “use-only” permissions can effectively escalate their privileges to access sensitive data and systems.
Data Breach: Exfiltrated credentials can be used to access external services and internal systems, leading to potential data breaches.
Lateral Movement: Compromised credentials can allow attackers to move laterally within an organization’s network.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top