n8n: Credential Exfiltration via Permission Bypass

Vulnerability

A credential ownership check bypass exists in n8n when a member-level user with editor access to a shared workflow uses specific public API endpoints. The vulnerability affects instances where workflow sharing is enabled and at least one workflow has been shared with a member-level user as an Editor. Affected versions are all n8n releases prior to 1.123.55, 2.25.7, and 2.26.2 [1][2].

Exploitation

An attacker must have a member-level account with editor permissions on a shared workflow. By calling the vulnerable public API endpoints, the attacker can reference credentials that belong to other users without proper ownership verification [1][2].

Impact

Successful exploitation allows the attacker to exfiltrate credentials they do not own, leading to unauthorized access to sensitive data and potential compromise of integrated services. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, indicating high confidentiality and integrity impact with a network attack vector [1][2].

Mitigation

The issue is fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later. If immediate upgrade is not possible, administrators can restrict workflow sharing to fully trusted users and audit shared workflows for unexpected credential references as temporary workarounds [1][2].