Impact
n8n is an open source workflow automation platform. Prior to versions 1.123.55, 2.25.7, and 2.26.2, three EE endpoints used by the Dynamic Credentials feature accepted any authenticated session without performing per‑resource ownership or scope checks on the target workflow or credential. An attacker who has an authenticated session but no project membership or credential sharing relationship can enumerate credential identifiers, names, and types referenced by any private workflow, initiate an OAuth authorization flow against another user’s credential to overwrite its stored tokens with tokens bound to an account they control, or revoke that user’s stored credential tokens entirely. Workflows that rely on a hijacked credential would then execute under the attacker’s OAuth identity, enabling data exfiltration to attacker‑controlled external services and persistent takeover of integrations; token revocation would break affected workflows. The flaw matches CWE-200 and CWE-284, and is fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2.
Affected Systems
The flaw occurs in the n8n product from n8n‑io. Any installation using version series 1.x older than 1.123.55, or 2.x older than 2.25.7 or 2.26.2, is impacted. The vulnerability is limited to EE endpoints that manage Dynamic Credentials.
Risk and Exploitability
The CVSS score of 8.9 classifies the flaw as high severity. Since the EPSS score is not available, the actual exploitation probability is unknown, but typical authentication credentials can be leveraged by compromised users or through phishing, making the vulnerability exploitable in environments where users have privileged access to the n8n instance. The flaw is not yet listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no public exploits have been reported. An attacker requires only an authenticated session to begin enumeration, indicating that the attack vector is internal or socially engineered distribution of credentials.
OpenCVE Enrichment
Github GHSA