n8n is an open source workflow automation platform. Before version 1.123.55 or 2.25.7/2.26.2, three EE endpoints used by the Dynamic Credentials feature accepted any authenticated session without checking per‑resource ownership or scope on the target workflow or credential. An authenticated user who has no membership in a project or share relationship with a credential could enumerate the identifiers, names, and types of credentials referenced by any private workflow, initiate an OAuth flow to overwrite that credential’s stored tokens with tokens bound to an account they control, or revoke the owner’s tokens. Workflows that rely on a hijacked credential would then run under the attacker's OAuth identity, allowing data exfiltration to attack‑controlled services and enabling a persistent takeover of integrations. Token revocation would break affected workflows. The flaw matches CWE‑200 and CWE‑284.

The flaw occurs in the n8n product from n8n‑io. Any installation using version series 1.x older than 1.123.55, or 2.x older than 2.25.7 or 2.26.2, is impacted. The vulnerability is limited to EE endpoints that manage Dynamic Credentials.

The CVSS score of 8.9 classifies the flaw as high severity. Since the EPSS score is not available, the actual exploitation probability is unknown, but typical authentication credentials can be leveraged by compromised users or through phishing, making the vulnerability exploitable in environments where users have privileged access to the n8n instance. The flaw is not yet listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no public exploits have been reported. An attacker requires only an authenticated session to begin enumeration, indicating that the attack vector is internal or socially engineered distribution of credentials.