Security risk using credentials from other users in the same n8n instance?

konradsl · January 22, 2026, 10:37am

I have an n8n Cloud instance with multiple users. I am the admin of this instance.
When I go to the credential overview, I only see my credentials and those shared by other users of the instance. Just as you would expect.

However, when I create a node in a workflow (e.g., Outlook Connector), I can also select the privately stored credentials of all other users there—and thus, for example, read, change, or delete all their events, emails, etc.
You don’t even have to be malicious to do this – it can happen accidentally (as it did), because the credentials selected by default when creating the node may be those of another user without you immediately noticing or seeing it. The title “Microsoft Outlook OAuth2 API” for a credential in the default setting says also nothing about the user.

Is this a serious bug? No user, not even the admin, should be able to use the private credentials of other users.

JohnHalex · January 22, 2026, 12:27pm

Hi @konradsl ,

When credentials are used in a workflow, anyone with access to that workflow can use those credentials, regardless of the credential’s “private” status. This is by design, because workflows need to execute with the credentials they were configured with.

This isn’t a bug, it’s how n8n’s permission model works.

Does this help?

konradsl · January 22, 2026, 12:41pm

Thus, as an admin I have per design access to ALL workflows and therefore also access to ALL credentials, right? And this is a wanted behavior?

JohnHalex · January 22, 2026, 1:18pm

Yes, this is by design.

system · January 29, 2026, 1:19pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.