n8n public-API cross-user credential access (CVSS 8.5)

NCSC-NL advisory NCSC-2026-0212 batches a set of GitHub Security Advisories against the n8n workflow-automation platform (NCSC-NL, 2026-06-29). The top flaw, CVE-2026-54305 (CVSS 8.9), is in the Dynamic Credentials Enterprise Edition endpoints: missing ownership/scope checks let any authenticated user enumerate credential IDs and initiate OAuth flows that overwrite — or revoke — another tenant's OAuth tokens, a cross-tenant integration takeover and lateral-movement path (T1078.004, T1548) (GitHub Security Advisory GHSA-2j5h-858j-5mpf). CVE-2026-54307 (CVSS 8.5) lets editor-level users read other users' credentials via the public API in shared instances (T1552.001) (GitHub Security Advisory GHSA-pmqw-72cg-wx85). The same batch also fixes unauthenticated workflow execution via the MicrosoftAgent365Trigger and StripeTrigger webhook nodes (path-token matching with no HMAC signature verification), CSP bypass, Chat-Trigger JS injection, and HTTP-Request-node prototype pollution. Affected trains: < 1.123.55, < 2.24.0, < 2.25.7, < 2.26.1, < 2.26.2. No in-the-wild exploitation reported. Hunt: unexpected OAuth grant changes in connected IdPs; credential-management API calls from non-owner users; unauthenticated POSTs to trigger endpoints.