HIGHCVE-2026-54307Published Modified CNA GitHub_M
CVE-2026-54307: n8n: Credential Exfiltration via Permission Bypass
n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, a member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access. This issue affects instances where workflow sharing is enabled and at least one workflow has been shared with a member-level user as an Editor. This vulnerability is fixed in 1.123.55, 2.25.7, and 2.26.2.
Metrics
- CVSS v4.0
- 8.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
Affected packages
- n8n-io / n8n< 1.123.55 · >= 2.0.0-rc.0, < 2.25.7 · >= 2.26.0, < 2.26.2
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:L