Proposal: Case Study for CVE-2026-33722 (n8n Has External Secrets Authorization Bypass in Credential Saving)

[ShawnKi]

I am a GMU student proposing a new case study for the following vulnerability:
CVE: CVE-2026-33722 (1)
Software: n8n (npm)
Language: TypeScript

Description:
n8n is a workflow automation platform using npm (2). There was a vulnerability where an authenticated user could access external secrets even while not having permission. This bypassed a permission check and allowed access to unauthorized information.

This case study plans to analyze the underlying CWE-863 Incorrect authorization (3). This case study plans to analyze the specific details of the vulnerability and discuss prevention of this type of vulnerability in credential saving.
This case study will proceed pending approval.

Group Member(s):
Shawn Kingman (G01304524)
George Mason University

(1) GHSA-fxcw-h3qj-8m8p
(2) https://nvd.nist.gov/vuln/detail/CVE-2026-33722
(3) https://cwe.mitre.org/data/definitions/863.html

[abuttner]

This would be great as it looks at a weakness type we don't have a lot of case studies on. Make sure you focus on the coding mistake made by the developer and walk the reader through the bad code line by line. Then show how it could be exploited and how the developer fixed the issue.