CVE-2023-27564
Description
The n8n package 0.218.0 for Node.js allows Information Disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
n8n before 0.216.1 allows information disclosure due to an authentication bypass on URLs containing .svg files.
Vulnerability
CVE-2023-27564 affects n8n, a workflow automation platform, in versions up to 0.218.0. The root cause is that authentication was explicitly bypassed for URLs containing .svg in the path. This allowed unauthenticated access to endpoints that should have required authentication [1][3].
Exploitation
An attacker can exploit this by crafting a request to any protected endpoint with .svg appended to the URL path. No authentication or prior access is needed. For example, accessing /users?file.svg would bypass authentication checks [2][3].
Impact
Successful exploitation leads to information disclosure, potentially exposing sensitive data such as user details, workflow configurations, or credentials stored within the n8n instance [2].
Mitigation
The vulnerability was fixed in n8n version 0.216.1, released on February 21, 2023. Users should upgrade to at least this version [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
n8nnpm | < 0.216.1 | 0.216.1 |
Affected products
2- n8n/n8ndescription
Patches
127adea704593fix(core): Do not explicitly bypass auth on urls containing `.svg` (#5525)
1 file changed · +7 −7
packages/cli/src/middlewares/auth.ts+7 −7 modified@@ -3,11 +3,12 @@ import jwt from 'jsonwebtoken'; import cookieParser from 'cookie-parser'; import passport from 'passport'; import { Strategy } from 'passport-jwt'; +import { sync as globSync } from 'fast-glob'; import { LoggerProxy as Logger } from 'n8n-workflow'; import type { JwtPayload } from '@/Interfaces'; import type { AuthenticatedRequest } from '@/requests'; import config from '@/config'; -import { AUTH_COOKIE_NAME } from '@/constants'; +import { AUTH_COOKIE_NAME, EDITOR_UI_DIST_DIR } from '@/constants'; import { issueCookie, resolveJwtContent } from '@/auth/jwt'; import { isAuthenticatedRequest, @@ -61,6 +62,10 @@ const refreshExpiringCookie: RequestHandler = async (req: AuthenticatedRequest, const passportMiddleware = passport.authenticate('jwt', { session: false }) as RequestHandler; +const staticAssets = globSync(['**/*.html', '**/*.svg', '**/*.png', '**/*.ico'], { + cwd: EDITOR_UI_DIST_DIR, +}); + /** * This sets up the auth middlewares in the correct order */ @@ -79,12 +84,7 @@ export const setupAuthMiddlewares = ( // TODO: refactor me!!! // skip authentication for preflight requests req.method === 'OPTIONS' || - req.url === '/index.html' || - req.url === '/favicon.ico' || - req.url.startsWith('/css/') || - req.url.startsWith('/js/') || - req.url.startsWith('/fonts/') || - req.url.includes('.svg') || + staticAssets.includes(req.url.slice(1)) || req.url.startsWith(`/${restEndpoint}/settings`) || req.url.startsWith(`/${restEndpoint}/login`) || req.url.startsWith(`/${restEndpoint}/logout`) ||
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-r9xw-p7wj-w792ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-27564ghsaADVISORY
- github.com/n8n-io/n8n/commit/27adea70459329fc0dddabee69e10c9d1453835fghsaWEB
- github.com/n8n-io/n8n/pull/5525ghsaWEB
- github.com/n8n-io/n8n/releases/tag/n8n%400.216.1ghsaWEB
- security.netapp.com/advisory/ntap-20230622-0007ghsaWEB
- www.synacktiv.com/sites/default/files/2023-05/Synacktiv-N8N-Multiple-Vulnerabilities_0.pdfghsaWEB
- security.netapp.com/advisory/ntap-20230622-0007/mitre
News mentions
0No linked articles in our index yet.