n8n security advisory (AV26-584)

Serial number: AV26-584
Date: June 10, 2026

On June 10, 2026, n8n published security advisories to address vulnerabilities in multiple products:

• n8n (Credential Exfiltration) – multiple versions
• n8n (Cross-Tenant Credential) – multiple versions
• n8n (n8n MCP Browser) – versions 2.26.2 to 2.25.7
• n8n(SecurityScorecard Node) – multiple versions

The Cyber Centre encourages users and administrators to review the provided web link and apply the necessary update.

• Credential Exfiltration via Permission Bypass
• Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints
• n8n MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions
• SecurityScorecard Node Leaks API Token to User-Controlled Host
• n8n Security