GHSA-756q-gq9h-fp22
n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure
상세
## Impact An authenticated user with a valid API key scoped to `variable:list` could read variables from projects they are not a member of by supplying an arbitrary `projectId` query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller.
If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately.
This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled.
## Patches The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability.
## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Restrict n8n access and API key issuance to fully trusted users only. - Audit existing project variables for sensitive values and rotate any secrets that may have been exposed.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.