CVE Catalog

CVE-2026-54307

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

23th percentile — higher than 23% of all known CVEs

Summary

In n8n before versions 1.123.55, 2.25.7, and 2.26.2, a member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access.

Risk Assessment

The risk involves potential leakage of sensitive credentials (e.g., passwords, API keys) to unauthorized users, which could lead to data and system security breaches.

Recommendation

Immediately update n8n to version 1.123.55, 2.25.7, or 2.26.2, depending on the branch used. In the meantime, limit workflow sharing to trusted users only.

Original NVD description (English source)

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, a member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access. This issue affects instances where workflow sharing is enabled and at least one workflow has been shared with a member-level user as an Editor. This vulnerability is fixed in 1.123.55, 2.25.7, and 2.26.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS