diff --git a/packages/cli/src/credentials/credentials.service.ts b/packages/cli/src/credentials/credentials.service.ts
index 1c90a64419..4ca1fef92b 100644
--- a/packages/cli/src/credentials/credentials.service.ts
+++ b/packages/cli/src/credentials/credentials.service.ts
@@ -33,7 +33,7 @@ export class CredentialsService {
 
 	static async getAll(
 		user: User,
-		options?: { relations?: string[]; roles?: string[] },
+		options?: { relations?: string[]; roles?: string[]; disableGlobalRole?: boolean },
 	): Promise<ICredentialsDb[]> {
 		const SELECT_FIELDS: Array<keyof ICredentialsDb> = [
 			'id',
@@ -46,7 +46,7 @@ export class CredentialsService {
 
 		// if instance owner, return all credentials
 
-		if (user.globalRole.name === 'owner') {
+		if (user.globalRole.name === 'owner' && options?.disableGlobalRole !== true) {
 			return Db.collections.Credentials.find({
 				select: SELECT_FIELDS,
 				relations: options?.relations,
diff --git a/packages/cli/src/workflows/workflows.services.ee.ts b/packages/cli/src/workflows/workflows.services.ee.ts
index fdc68db4da..c2ecc0d676 100644
--- a/packages/cli/src/workflows/workflows.services.ee.ts
+++ b/packages/cli/src/workflows/workflows.services.ee.ts
@@ -109,7 +109,7 @@ export class EEWorkflowsService extends WorkflowsService {
 		currentUser: User,
 	): Promise<void> {
 		workflow.usedCredentials = [];
-		const userCredentials = await EECredentials.getAll(currentUser);
+		const userCredentials = await EECredentials.getAll(currentUser, { disableGlobalRole: true });
 		const credentialIdsUsedByWorkflow = new Set<number>();
 		workflow.nodes.forEach((node) => {
 			if (!node.credentials) {
diff --git a/packages/cli/test/integration/workflows.controller.ee.test.ts b/packages/cli/test/integration/workflows.controller.ee.test.ts
index 4363f25f14..7598f8e166 100644
--- a/packages/cli/test/integration/workflows.controller.ee.test.ts
+++ b/packages/cli/test/integration/workflows.controller.ee.test.ts
@@ -333,7 +333,7 @@ describe('GET /workflows/:id', () => {
 		expect(response.body.data.sharedWith).toHaveLength(0);
 	});
 
-	test('GET should return workflow with credentials saying owner has access even when not shared', async () => {
+	test('GET should return workflow with credentials saying owner does not have access when not shared', async () => {
 		const owner = await testDb.createUser({ globalRole: globalOwnerRole });
 		const member = await testDb.createUser({ globalRole: globalMemberRole });
 		const savedCredential = await saveCredential(randomCredentialPayload(), { user: member });
@@ -351,7 +351,7 @@ describe('GET /workflows/:id', () => {
 			{
 				id: savedCredential.id.toString(),
 				name: savedCredential.name,
-				currentUserHasAccess: true, // owner has access to any cred
+				currentUserHasAccess: false, // although owner can see, he does not have access
 			},
 		]);