CVE-2026-54305: n8n IDOR enables OAuth credential

Q: Is CVE-2026-54305 actively exploited?

No confirmed active exploitation of CVE-2026-54305 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-54305?

1. PATCH: Upgrade n8n to version 1.123.55, 2.25.7, or 2.26.2 — the only full remediation. 2. IMMEDIATE WORKAROUND: Unset the environment variable N8N_ENV_FEAT_DYNAMIC_CREDENTIALS to disable the vulnerable feature entirely; if Dynamic Credentials is not actively in use, this has no operational impact and eliminates the attack surface immediately. Supplement by restricting n8n instance network access to trusted IP ranges or internal networks only. 3. POST-COMPROMISE HYGIENE: Rotate all OAuth credentials stored in n8n after patching — assume any instance running the vulnerable version may already have tokens overwritten. Revoke and reissue OAuth app grants in connected external services (Google, Slack, GitHub, etc.) and audit recent authorization events for unexpected accounts. 4. DETECT: Review n8n server access logs for calls to Dynamic Credentials EE endpoints (paths referencing credential authorization flows) originating from users without project membership in the targeted workflow. Audit OAuth token issuance logs in connected external services for authorization events from unexpected accounts or IP addresses. 5. LONG-TERM: Implement monitoring for OAuth grant changes across all services integrated with n8n; enforce least-privilege on n8n user accounts and limit which users can authenticate to Enterprise instances.

Q: What systems are affected by CVE-2026-54305?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, OAuth-integrated workflow automation, RAG pipelines with external data connectors, Agentic AI tool integrations, Enterprise AI automation environments.

Q: What is the CVSS score for CVE-2026-54305?

CVE-2026-54305 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.04%.

CISO Take

CVE-2026-54305 is a critical (CVSS 9.9) broken object-level authorization flaw in n8n Enterprise's Dynamic Credentials feature, where three EE API endpoints enforce authentication but not per-resource ownership — meaning any authenticated user, regardless of project membership or sharing grants, can enumerate credential metadata across all private workflows, overwrite another user's OAuth tokens by completing an authorization flow bound to an attacker-controlled account, or revoke tokens entirely to silently break dependent workflows. No public exploit exists yet, but the preconditions are minimal: a valid low-privilege n8n account, network access, and knowledge of the endpoint paths now public via the GHSA advisory; EPSS places this in the 87th percentile of exploitation likelihood relative to all CVEs, and the Changed scope (S:C) means a single compromised account can pivot to every external service integrated via OAuth across the entire instance. Organizations running n8n Enterprise with Dynamic Credentials enabled should patch immediately to 1.123.55, 2.25.7, or 2.26.2; if immediate upgrade is not feasible, unset `N8N_ENV_FEAT_DYNAMIC_CREDENTIALS` and restrict instance access to fully trusted users as a temporary control — and rotate all stored OAuth credentials after patching to invalidate any tokens already overwritten.

Sources: NVD GitHub Advisory EPSS ATLAS OpenSSF

What is the risk?

Critical risk for any Enterprise n8n deployment with Dynamic Credentials enabled. The CVSS 9.9 reflects the combination of network reachability, low attack complexity, minimal privilege requirement (any authenticated session), no user interaction, and a Changed scope that allows one compromised account to affect resources owned by every other user in the instance. The root cause is a classic BOLA (Broken Object Level Authorization) — the API validates identity but not authorization at the resource level. The blast radius extends beyond n8n to every external service the organization has connected via OAuth: Google Workspace, Slack, GitHub, cloud providers, CRMs, and data pipelines. Hijacked tokens persist until manually rotated, and because workflows continue to execute normally, the compromise may go undetected indefinitely. The lack of active KEV listing and a low absolute EPSS (0.00042) indicate no observed exploitation yet, but advisory publication substantially lowers the bar for any threat actor with an n8n account.

How does the attack unfold?

Initial Access

Attacker authenticates to the n8n Enterprise instance using any valid low-privilege account — a contractor credential, compromised employee session, or self-registered user on an insufficiently restricted instance.

AML.T0012

Credential Enumeration

Attacker calls unprotected Dynamic Credentials EE endpoints to enumerate credential IDs, names, and types referenced by private workflows across the entire instance, mapping the organization's OAuth integration surface.

AML.T0084

OAuth Token Hijack

Attacker initiates an OAuth authorization flow against a target user's high-value credential, completing it with an attacker-controlled account to silently overwrite the victim's stored OAuth tokens.

AML.T0106

Persistent Data Exfiltration

All subsequent workflow executions using the hijacked credential route data and API calls through the attacker's OAuth identity, enabling silent, continuous exfiltration to attacker-controlled external services with no visible workflow disruption.

AML.T0086

Initial Access

Attacker authenticates to the n8n Enterprise instance using any valid low-privilege account — a contractor credential, compromised employee session, or self-registered user on an insufficiently restricted instance.

AML.T0012

Credential Enumeration

Attacker calls unprotected Dynamic Credentials EE endpoints to enumerate credential IDs, names, and types referenced by private workflows across the entire instance, mapping the organization's OAuth integration surface.

AML.T0084

OAuth Token Hijack

Attacker initiates an OAuth authorization flow against a target user's high-value credential, completing it with an attacker-controlled account to silently overwrite the victim's stored OAuth tokens.

AML.T0106

Persistent Data Exfiltration

All subsequent workflow executions using the hijacked credential route data and API calls through the attacker's OAuth identity, enabling silent, continuous exfiltration to attacker-controlled external services with no visible workflow disruption.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.55	`1.123.55`
192.4K OpenSSF 6.5 Pushed 3d ago 55% patched ~2d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

9.9 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 13% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C High

I High

A Low

What should I do?

5 steps

PATCH

Upgrade n8n to version 1.123.55, 2.25.7, or 2.26.2 — the only full remediation.
IMMEDIATE WORKAROUND

Unset the environment variable N8N_ENV_FEAT_DYNAMIC_CREDENTIALS to disable the vulnerable feature entirely; if Dynamic Credentials is not actively in use, this has no operational impact and eliminates the attack surface immediately. Supplement by restricting n8n instance network access to trusted IP ranges or internal networks only.
POST-COMPROMISE HYGIENE: Rotate all OAuth credentials stored in n8n after patching — assume any instance running the vulnerable version may already have tokens overwritten. Revoke and reissue OAuth app grants in connected external services (Google, Slack, GitHub, etc.) and audit recent authorization events for unexpected accounts.
DETECT

Review n8n server access logs for calls to Dynamic Credentials EE endpoints (paths referencing credential authorization flows) originating from users without project membership in the targeted workflow. Audit OAuth token issuance logs in connected external services for authorization events from unexpected accounts or IP addresses.
LONG-TERM: Implement monitoring for OAuth grant changes across all services integrated with n8n; enforce least-privilege on n8n user accounts and limit which users can authenticate to Enterprise instances.

How is it classified?

Auth Bypass Data Extraction Privacy Violation Agent Plugin Framework AML.T0049 - Exploit Public-Facing Application AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0091.000 - Application Access Token AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.2 - Segregation of duties A.7.2 - Access control for AI systems

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place for AI risk MANAGE 2.4 - Residual risks to individuals and groups from AI are managed

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-54305?

CVE-2026-54305 is a critical (CVSS 9.9) broken object-level authorization flaw in n8n Enterprise's Dynamic Credentials feature, where three EE API endpoints enforce authentication but not per-resource ownership — meaning any authenticated user, regardless of project membership or sharing grants, can enumerate credential metadata across all private workflows, overwrite another user's OAuth tokens by completing an authorization flow bound to an attacker-controlled account, or revoke tokens entirely to silently break dependent workflows. No public exploit exists yet, but the preconditions are minimal: a valid low-privilege n8n account, network access, and knowledge of the endpoint paths now public via the GHSA advisory; EPSS places this in the 87th percentile of exploitation likelihood relative to all CVEs, and the Changed scope (S:C) means a single compromised account can pivot to every external service integrated via OAuth across the entire instance. Organizations running n8n Enterprise with Dynamic Credentials enabled should patch immediately to 1.123.55, 2.25.7, or 2.26.2; if immediate upgrade is not feasible, unset `N8N_ENV_FEAT_DYNAMIC_CREDENTIALS` and restrict instance access to fully trusted users as a temporary control — and rotate all stored OAuth credentials after patching to invalidate any tokens already overwritten.

Is CVE-2026-54305 actively exploited?

No confirmed active exploitation of CVE-2026-54305 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54305?

1. PATCH: Upgrade n8n to version 1.123.55, 2.25.7, or 2.26.2 — the only full remediation. 2. IMMEDIATE WORKAROUND: Unset the environment variable N8N_ENV_FEAT_DYNAMIC_CREDENTIALS to disable the vulnerable feature entirely; if Dynamic Credentials is not actively in use, this has no operational impact and eliminates the attack surface immediately. Supplement by restricting n8n instance network access to trusted IP ranges or internal networks only. 3. POST-COMPROMISE HYGIENE: Rotate all OAuth credentials stored in n8n after patching — assume any instance running the vulnerable version may already have tokens overwritten. Revoke and reissue OAuth app grants in connected external services (Google, Slack, GitHub, etc.) and audit recent authorization events for unexpected accounts. 4. DETECT: Review n8n server access logs for calls to Dynamic Credentials EE endpoints (paths referencing credential authorization flows) originating from users without project membership in the targeted workflow. Audit OAuth token issuance logs in connected external services for authorization events from unexpected accounts or IP addresses. 5. LONG-TERM: Implement monitoring for OAuth grant changes across all services integrated with n8n; enforce least-privilege on n8n user accounts and limit which users can authenticate to Enterprise instances.

What systems are affected by CVE-2026-54305?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, OAuth-integrated workflow automation, RAG pipelines with external data connectors, Agentic AI tool integrations, Enterprise AI automation environments.

What is the CVSS score for CVE-2026-54305?

CVE-2026-54305 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.04%.

What is the AI security impact?

Affected AI Architectures

AI agent orchestration platformsOAuth-integrated workflow automationRAG pipelines with external data connectorsAgentic AI tool integrationsEnterprise AI automation environments

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0083 Credentials from AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

AML.T0086 Exfiltration via AI Agent Tool Invocation

AML.T0091.000 Application Access Token

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.1.2, A.7.2

NIST AI RMF: GOVERN 6.2, MANAGE 2.4

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

## Impact Three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An authenticated user with no project membership or credential sharing relationship could enumerate credential identifiers, names, and types referenced by any private workflow in the instance, initiate an OAuth authorization flow against another user's credential to overwrite its stored tokens with tokens bound to an account they control, or revoke another user's stored credential tokens entirely. Workflows relying on a hijacked credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of integrations. Token revocation would break affected workflows. This issue only affects Enterprise instances where the Dynamic Credentials feature is enabled. ## Patches The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Restrict n8n instance access to fully trusted users only. - If the Dynamic Credentials feature is not actively required, disable it by unsetting `N8N_ENV_FEAT_DYNAMIC_CREDENTIALS`. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

A threat actor with a low-privilege n8n Enterprise account — obtained via a compromised contractor credential, a phishing attack against an employee, or a self-registered account on an insufficiently restricted instance — begins by probing the three unprotected Dynamic Credentials EE endpoints. Without any special tooling, they enumerate credential IDs, names, and types across all private workflows in the instance, mapping which external services the organization has connected via OAuth: a Google Drive integration feeding an AI data pipeline, a Slack bot used for automated threat alerts, and a GitHub integration powering code review automations. The attacker selects the Google Drive credential as the highest-value target. They call the OAuth initiation endpoint against that credential's ID, specifying a Google account they control as the OAuth callback recipient. Upon completing the flow, the victim credential's stored tokens are silently overwritten with tokens bound to the attacker's Google account. From this point forward, every n8n workflow that uses the Google Drive integration — including scheduled RAG ingestion jobs and document processing pipelines — routes data to the attacker's Google Drive. The organization observes no errors or behavioral changes; the attack persists undetected until the credential is manually audited or the tokens are rotated.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary CWE-284 Improper Access Control Primary

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.