NVD Vulnerability Detail
Search Exploit, PoC
CVE-2026-54307
Summary

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, a member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access. This issue affects instances where workflow sharing is enabled and at least one workflow has been shared with a member-level user as an Editor. This vulnerability is fixed in 1.123.55, 2.25.7, and 2.26.2.

Publication Date June 24, 2026, 2:17 a.m.
Registration Date June 27, 2026, 4:14 a.m.
Last Update June 26, 2026, 11:20 a.m.
CVSS3.1 : CRITICAL
スコア 9.6
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
攻撃元区分(AV) ネットワーク
攻撃条件の複雑さ(AC)
攻撃に必要な特権レベル(PR)
利用者の関与(UI) 不要
影響の想定範囲(S) 変更あり
機密性への影響(C)
完全性への影響(I)
可用性への影響(A) なし
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* 1.123.55
cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* 2.0.0 2.25.7
cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* 2.26.0 2.26.2
Related information, measures and tools
Common Vulnerabilities List