js · n8nCritical

n8n Enterprise: Missing Scope Checks in Dynamic Credentials Endpoints

Three EE endpoints used by the Dynamic Credentials feature lacked per-resource ownership or scope checks, allowing authenticated users to enumerate, hijack, or

17 Jun 2026Read 1 minSeverity: act now

What changed

Three EE endpoints used by the Dynamic Credentials feature lacked per-resource ownership or scope checks, allowing authenticated users to enumerate, hijack, or revoke credentials of other users' workflows.

Who it affects

Enterprise instances of n8n with the Dynamic Credentials feature enabled.

What to do today

Upgrade to n8n versions 1.123.55, 2.25.7, or 2.26.2 immediately. If upgrade is not possible, restrict instance access to trusted users and disable Dynamic Credentials via N8N_ENV_FEAT_DYNAMIC_CREDENTIALS.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · n8n

n8n Enterprise: Missing Scope Checks in Dynamic Credentials Endpoints

What changed

Who it affects

What to do today

More on n8n

Hono: Encoded backslash path traversal on Windows

Hono AWS Lambda@Edge Adapter: Repeated Headers Truncated to Single Value