Skip to main content

n8n EUVDEUVD-2026-38478

| CVE-2026-54307 HIGH
Incorrect Authorization (CWE-863)
2026-06-16 https://github.com/n8n-io/n8n GHSA-pmqw-72cg-wx85
8.5
CVSS 4.0 · Vendor: https://github.com/n8n-io/n8n
Share

Severity by source

Vendor (https://github.com/n8n-io/n8n) PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Network API exploitable by an authenticated member (PR:L), no UI; credential disclosure crosses authorization boundary (S:C, C:H), no integrity or availability impact on n8n itself.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (https://github.com/n8n-io/n8n).

CVSS VectorVendor: https://github.com/n8n-io/n8n

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 23, 2026 - 18:40 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jun 23, 2026 - 18:22 NVD
9.6 (HIGH) 8.5 (HIGH)
Source Code Evidence Fetched
Jun 17, 2026 - 00:10 vuln.today
Analysis Generated
Jun 17, 2026 - 00:10 vuln.today

DescriptionCVE.org

Impact

A member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access.

This issue affects instances where workflow sharing is enabled and at least one workflow has been shared with a member-level user as an Editor.

Patches

The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Restrict workflow sharing to fully trusted users only.
  • Audit shared workflows for unexpected credential references or recent modifications.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Credits: Momen Elkhouli

AnalysisAI

Cross-user credential access in n8n workflow automation platform allows member-level users with Editor access to shared workflows to reference credentials owned by other users via specific public API endpoints. The flaw stems from incomplete ownership checks (CWE-863) and affects versions prior to 1.123.55, between 2.0.0-rc.0 and 2.25.7, and between 2.26.0 and 2.26.2. No public exploit identified at time of analysis, but the vulnerability enables credential exfiltration in multi-tenant n8n deployments where workflow sharing is enabled.

Technical ContextAI

n8n is a fair-code workflow automation platform distributed as the npm package 'n8n' that orchestrates integrations across SaaS services using stored credentials. The vulnerability is rooted in CWE-863 (Incorrect Authorization): the public API endpoints that resolve credential references attached to a workflow performed only partial ownership verification, checking workflow access but failing to verify that the requesting user owned (or was granted access to) the referenced credentials. As a result, an Editor on a shared workflow could invoke API calls that disclosed or operated against credentials belonging to the workflow owner or other users, breaking the platform's role-based access control model.

RemediationAI

Vendor-released patches are available: upgrade to n8n 1.123.55, 2.25.7, or 2.26.2 (or any later release on the corresponding branch) per the GHSA advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-pmqw-72cg-wx85. If immediate upgrade is not possible, restrict workflow sharing to fully trusted users only (acknowledging this reduces collaboration capability) and audit all currently shared workflows for unexpected credential references or recent modifications by Editor-role users; these workarounds reduce but do not eliminate the risk and should be considered short-term only. Operators should also rotate any credentials stored in n8n that were referenced by shared workflows on vulnerable instances, since prior exfiltration cannot be ruled out from configuration alone.

Share

EUVD-2026-38478 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy