172 matches found
CVE-2026-59254
n8n before 2.28.1 contains an information disclosure vulnerability where external secrets are incorrectly resolved in workflow node expressions outside credentials scope. Authenticated project editors can read plaintext external secret values by referencing them in node expressions without...
CVE-2026-59259
n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expression engine. An authenticated user with credential create or update permissions but without the...
CVE-2026-59259 n8n - Permission Bypass via Expression Parser Mismatch in External Secrets
n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expression engine. An authenticated user with credential create or update permissions but without the...
EUVD-2026-44635
n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expression engine. An authenticated user with credential create or update permissions but without the...
CVE-2026-59254 n8n - External Secrets Disclosure via Workflow Node Expressions
n8n before 2.28.1 contains an information disclosure vulnerability where external secrets are incorrectly resolved in workflow node expressions outside credentials scope. Authenticated project editors can read plaintext external secret values by referencing them in node expressions without...
EUVD-2026-44634
n8n before 2.28.1 contains an information disclosure vulnerability where external secrets are incorrectly resolved in workflow node expressions outside credentials scope. Authenticated project editors can read plaintext external secret values by referencing them in node expressions without...
GHSA-45GG-VH54-H5M9 vulnerabilities
Vulnerabilities for packages: calico-fips, chisel-fips, tekton-pipelines-fips, knative-eventing-fips, rancher-agent, zitadel, kubescape-server-fips, trivy-fips, kubernetes, drone-fips, nemo, k3s, kubescape-server, frankenphp-8.5, osv-scanner, prometheus, gitlab-workhorse-ce-fips, argo-workflows,...
GHSA-W879-237Q-WC7R vulnerabilities
Vulnerabilities for packages: gitlab-runner, gptscript, apko, chezmoi, terraform-provider-tls, kots, step, cloud-provider-aws, kubescape, scorecard, tflint, argo-cd, cluster-api-azure-controller, docker, kine, act, atlantis, flux-kustomize-controller, gomplate,...
GHSA-F5WC-C3C7-36MC vulnerabilities
Vulnerabilities for packages: gptscript, apko, chezmoi, kots, step, cloud-provider-aws, scorecard, kubescape, argo-cd, kine, act, gomplate, fscrypt, opentofu, pulumi, kubernetes-dashboard, argo-events, podman, melange, pulumi-language-dotnet, cilium, go-discover, kubernetes, buildah, aactl,...
CLEANSTART-2026-RL64341 Security fixes for CVE-2025-61729, CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-32952, CVE-2026-39821, CVE-2026-39827, CVE-2026-39828, CVE-2026-39829, CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39835, CVE-2026-39883, CVE-2026-42502, CVE-2026-42506, CVE-2026-42508, CVE-2026-46595, CVE-2026-46597, CVE-2026-46598, ghsa-hfvc-g4fc-pqhx, ghsa-mh2q-q3fh-2475, ghsa-pjcq-xvwq-hhpj applied in versions: 1.1.0-r0, 2.4.1-r0, 2.5.0-r0, 2.5.0-r1
Multiple security vulnerabilities affect the external-secrets package. These issues are resolved in later releases. See references for individual vulnerability details...
CVE-2026-42876
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populat...
CVE-2026-42875
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace w...
CVE-2026-42875 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...
GHSA-WV26-88M5-6H59 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...
CVE-2026-42876 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...
GHSA-FQ7H-9X26-6J22 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...
GHSA-WV26-88M5-6H59 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...
CVE-2026-42876 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...
GHSA-FQ7H-9X26-6J22 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...
CVE-2026-42875 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...