Skip to main content

n8n CVE-2026-54305

| EUVDEUVD-2026-38476 HIGH
Information Exposure (CWE-200)
2026-06-16 https://github.com/n8n-io/n8n GHSA-2j5h-858j-5mpf
8.9
CVSS 4.0 · Vendor: https://github.com/n8n-io/n8n
Share

Severity by source

Vendor (https://github.com/n8n-io/n8n) PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.9 CRITICAL

Network-reachable EE endpoints exploitable by any authenticated user (PR:L), no UI; scope changes as victim's OAuth integrations on other systems are impacted; token revocation gives partial availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Primary rating from Vendor (https://github.com/n8n-io/n8n).

CVSS VectorVendor: https://github.com/n8n-io/n8n

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 23, 2026 - 18:39 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 18:38 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jun 23, 2026 - 18:22 NVD
9.9 (HIGH) 8.9 (HIGH)
Source Code Evidence Fetched
Jun 17, 2026 - 00:13 vuln.today
Analysis Generated
Jun 17, 2026 - 00:13 vuln.today

DescriptionCVE.org

Impact

Three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An authenticated user with no project membership or credential sharing relationship could enumerate credential identifiers, names, and types referenced by any private workflow in the instance, initiate an OAuth authorization flow against another user's credential to overwrite its stored tokens with tokens bound to an account they control, or revoke another user's stored credential tokens entirely.

Workflows relying on a hijacked credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of integrations. Token revocation would break affected workflows.

This issue only affects Enterprise instances where the Dynamic Credentials feature is enabled.

Patches

The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Restrict n8n instance access to fully trusted users only.
  • If the Dynamic Credentials feature is not actively required, disable it by unsetting N8N_ENV_FEAT_DYNAMIC_CREDENTIALS.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

Cross-tenant credential takeover in n8n Enterprise allows any authenticated user to hijack OAuth credentials belonging to other tenants when the Dynamic Credentials feature is enabled. Three EE endpoints failed to enforce per-resource ownership checks, letting attackers enumerate credentials across private workflows, overwrite stored OAuth tokens with attacker-controlled tokens, or revoke victim tokens entirely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege n8n session
Delivery
Enumerate cross-tenant credential IDs via EE endpoint
Exploit
Initiate OAuth flow against victim credential
Execution
Overwrite stored tokens with attacker-bound tokens
Persist
Victim workflow executes under attacker identity
Impact
Exfiltrate data from integrated SaaS services

Vulnerability AssessmentAI

Exploitation Requires an n8n Enterprise instance with the Dynamic Credentials feature explicitly enabled via the N8N_ENV_FEAT_DYNAMIC_CREDENTIALS environment variable, plus any valid authenticated session on the instance (no project membership, role, or sharing relationship with the target resource is required, consistent with CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L) scores 8.9 and accurately reflects a network-exploitable, low-privilege flaw with high confidentiality and integrity impact on both the vulnerable and subsequent systems - the subsequent-system impact is meaningful here because hijacked OAuth tokens grant access to third-party SaaS integrations (Google, Slack, GitHub, etc.). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker provisions or compromises any low-privilege n8n account on a vulnerable Enterprise instance, then calls the unprotected Dynamic Credentials EE endpoints to enumerate credential IDs referenced by other tenants' private workflows. The attacker initiates an OAuth authorization flow against a chosen victim credential, completing it with their own account so that the victim's stored tokens are overwritten with attacker-bound tokens. …
Remediation Vendor-released patch: upgrade to n8n 1.123.55, 2.25.7, or 2.26.2 (or later) depending on the release line in use, as documented in GHSA-2j5h-858j-5mpf (https://github.com/n8n-io/n8n/security/advisories/GHSA-2j5h-858j-5mpf). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable Dynamic Credentials if non-essential and audit access logs for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy