n8n Public API Vulnerability Allows Cross-Project Variable Disclosure

A vulnerability in n8n's public API variables endpoint allows authenticated users with a valid API key scoped to 'variable:list' to access variables from projects they do not belong to. This issue affects n8n versions prior to 1.123.32, 2.17.4, and 2.18.1, and is present in licensed enterprise or team deployments with multiple projects and the variables feature enabled. The vulnerability arises because the API endpoint bypasses project membership checks, directly querying the variables repository and circumventing the authorization-aware service layer of the internal enterprise controller. As a result, if sensitive information such as credentials or tokens was stored in the variables, it could be improperly accessed and should be rotated immediately.

Impact

Exploitation of this vulnerability could lead to unauthorized access to project variables, potentially including sensitive information like credentials or tokens, from projects the user is not a member of.

Remediation

Users should upgrade to n8n versions 1.123.32, 2.17.4, or 2.18.1. If an immediate upgrade is not possible, access to n8n and API key issuance should be restricted to trusted users only, and existing project variables should be audited for sensitive information, with any exposed secrets rotated.