CVE-2026-54307 - Vulnerability Details

- n8n: Credential Exfiltration via Permission Bypass

Description

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, a member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access. This issue affects instances where workflow sharing is enabled and at least one workflow has been shared with a member-level user as an Editor. This vulnerability is fixed in 1.123.55, 2.25.7, and 2.26.2.

Published: 2026-06-23

Score: 8.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A member‑level user with editor rights on a shared workflow in n8n can retrieve credentials belonging to other users through specific public API endpoints. The credential ownership checks are only partially enforced, allowing cross‑user access that was not intended. This flaw permits an attacker with such privileges to exfiltrate sensitive authentication tokens and other private information, compromising the confidentiality of user accounts. The weakness is identified as CWE‑863, an improper restriction of resources for a specific user.

Affected Systems

The affected product is n8n, developed by n8n‑io. Versions prior to 1.123.55, 2.25.7, and 2.26.2 are vulnerable. The issue occurs when workflow sharing is enabled and at least one workflow is shared with a member‑level user as an Editor. All installations that meet these conditions are at risk until the recommended versions are applied.

Risk and Exploitability

The CVSS score of 8.5 classifies this as a high‑severity vulnerability. EPSS information is not available, so the exploitation probability cannot be precisely quantified; however the flaw can be reached via public API endpoints, meaning that an attacker only needs network access to the n8n instance. The vulnerability is not currently listed in CISA’s KEV catalog. Because any editor on a shared workflow can exploit the bypass, the potential impact is significant with relative ease of exploitation once the conditions are met.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n8n-io

n8n

affected

Version	Status	Constraints
`< 1.123.55`	affected	—
`>= 2.0.0-rc.0, < 2.25.7`	affected	—
`>= 2.26.0, < 2.26.2`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade n8n to version 1.123.55 or newer, 2.25.7 or newer, or 2.26.2 or newer depending on your installation.
Until the upgrade can be performed, restrict or disable workflow sharing for users with Editor role to prevent the bypass.
Verify that credential ownership checks are correctly enforced on all public API endpoints by reviewing the API logs or performing a quick access test.

Generated by OpenCVE AI on June 23, 2026 at 22:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-pmqw-72cg-wx85	n8n: Credential Exfiltration via Permission Bypass

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/n8n-io/n8n/security/advisories/GHSA-pmqw-72cg-wx85

History

Tue, 23 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 23 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, a member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access. This issue affects instances where workflow sharing is enabled and at least one workflow has been shared with a member-level user as an Editor. This vulnerability is fixed in 1.123.55, 2.25.7, and 2.26.2.
Title		n8n: Credential Exfiltration via Permission Bypass
Weaknesses		CWE-863
References		https://github.com/n8n-io/n8n/security/advisories/GHSA-pmqw-72cg-wx85
Metrics		cvssV4_0 `{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-23T15:47:25.593Z

Updated: 2026-06-23T17:03:12.592Z

Reserved: 2026-06-12T18:42:02.222Z

Link: CVE-2026-54307

Vulnrichment

Updated: 2026-06-23T16:59:21.002Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-23T22:15:04Z

Weaknesses

CWE-863
Incorrect Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact Low

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object