js · n8nCritical
n8n: Cross-User Credential Access via Shared Workflow API
A member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints, leading to cross-user
What changed
A member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints, leading to cross-user credential access.
Who it affects
Instances where workflow sharing is enabled and at least one workflow has been shared with a member-level user as an Editor.
What to do today
Upgrade n8n to version 1.123.55, 2.25.7, or 2.26.2 or later. If immediate upgrade is not possible, restrict workflow sharing to fully trusted users and audit shared workflows.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · n8n