HomeCVE Intelligence › CVE-2026-54307
CVSS 9.6 CRITICAL Vulnerability

CVE-2026-54307: n8n: Credential Exfiltration via Permission Bypass

Impact A member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross…

9.6CVSS Score
CRITICALSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-54307
Vendornpm
Affected Productn8n
Vulnerability TypeVulnerability
CVSS Score9.6 (CRITICAL)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Impact

A member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access. This issue affects instances where workflow sharing is enabled and at least one workflow has been shared with a member-level user as an Editor.

Patches

The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

• Restrict workflow sharing to fully trusted users only.
• Audit shared workflows for unexpected credential referen

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-54307 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence