n8n Dynamic Credentials EE cross-tenant OAuth credential hijack (CVSS 8.9)

cve · CVE-2026-54305

Coverage timeline

first 2026-06-30 → last 2026-06-30

Briefs

1 distinct

Sources cited

19 hosts

Sections touched

trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-06-30CTI Daily Brief — 2026-06-30
trending_vulnsFirst coverage. Part of NCSC-2026-0212 (18 GHSAs); cross-tenant OAuth credential hijack/revoke; no ITW.

Where this entity is cited

trending_vulns1

Source distribution

attack.mitre.org9 (29%)
github.com3 (10%)
securityweek.com2 (6%)
thehackernews.com2 (6%)
advisories.ncsc.nl1 (3%)
bleepingcomputer.com1 (3%)
blog.calif.io1 (3%)
blog.sekoia.io1 (3%)
other11 (35%)

Related entities

n8n public-API cross-user credential access (CVSS 8.5)
cveCVE-2026-54307×1
One-click github.dev webview OAuth-token theft (postMessage origin flaw), unpatched + PoC
vulnerability-trenditem:github-dev-oauth-token-theft-2026×1
Shared booking-SaaS breach exposes guests at 100+ Dutch/Belgian/Irish hotels; phishing wave
incidentincident:dutch-hotels-booking-saas-breach-2026×1

External references

NVD · cve.org · CISA KEV

All cited sources (31)

Items in briefs about n8n Dynamic Credentials EE cross-tenant OAuth credential hijack (CVSS 8.9) (1)

CVE-2026-54305 / CVE-2026-54307 — n8n: OAuth credential hijack and cross-tenant credential access in shared deployments

From CTI Daily Brief — 2026-06-30 · published 2026-06-30 · view item permalink →

NCSC-NL advisory NCSC-2026-0212 batches a set of GitHub Security Advisories against the n8n workflow-automation platform (NCSC-NL, 2026-06-29). The top flaw, CVE-2026-54305 (CVSS 8.9), is in the Dynamic Credentials Enterprise Edition endpoints: missing ownership/scope checks let any authenticated user enumerate credential IDs and initiate OAuth flows that overwrite — or revoke — another tenant's OAuth tokens, a cross-tenant integration takeover and lateral-movement path (T1078.004, T1548) (GitHub Security Advisory GHSA-2j5h-858j-5mpf). CVE-2026-54307 (CVSS 8.5) lets editor-level users read other users' credentials via the public API in shared instances (T1552.001) (GitHub Security Advisory GHSA-pmqw-72cg-wx85). The same batch also fixes unauthenticated workflow execution via the MicrosoftAgent365Trigger and StripeTrigger webhook nodes (path-token matching with no HMAC signature verification), CSP bypass, Chat-Trigger JS injection, and HTTP-Request-node prototype pollution. Affected trains: < 1.123.55, < 2.24.0, < 2.25.7, < 2.26.1, < 2.26.2. No in-the-wild exploitation reported. Hunt: unexpected OAuth grant changes in connected IdPs; credential-management API calls from non-owner users; unauthenticated POSTs to trigger endpoints.