SCA: security update for n8n (GHSA-756q-gq9h-fp22)

medium Tenable Cloud Security Plugin ID 440992

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an
authenticated user with a valid API key scoped to variable:list could read variables from projects they
are not a member of by supplying an arbitrary projectId query parameter to the public API variables
endpoint. The handler queried the variables repository directly without enforcing project membership
checks, bypassing the authorization-aware service layer used by the internal enterprise controller. If
variables were misused to store sensitive information such as credentials or tokens, they should be
rotated immediately. This issue only affects licensed enterprise or team deployments with multiple
projects and the variables feature enabled. This issue has been patched in versions 1.123.32, 2.17.4, and
2.18.1. (CVE-2026-42227)

Solution

Update the n8n library and its related packages to version 1.123.32 or later.

See Also

https://github.com/advisories/GHSA-756q-gq9h-fp22

Plugin Details

Severity: Medium

ID: 440992

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 4/30/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2026-42227

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6

Threat Score: 2.3

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/29/2026

Vulnerability Publication Date: 4/29/2026

Reference Information

CVE: CVE-2026-42227

cwe: CWE-639