diff --git a/jobs/cloud_controller_ng/spec b/jobs/cloud_controller_ng/spec
index 993fd983de..b2207847fa 100644
--- a/jobs/cloud_controller_ng/spec
+++ b/jobs/cloud_controller_ng/spec
@@ -170,6 +170,7 @@ provides:
   - cc.logging.format.timestamp
   - cc.logging_level
   - cc.logging_max_retries
+  - cc.max_service_credential_bindings_per_app_service_instance
   - cc.max_labels_per_resource
   - cc.max_annotations_per_resource
   - cc.maximum_health_check_timeout
@@ -894,6 +895,14 @@ properties:
     default: false
     description: "Enable development features for monitoring and insight"
 
+  cc.max_service_credential_bindings_per_app_service_instance:
+    default: 1
+    description: |
+      Maximum number of service credential bindings allowed per app–service instance pair.
+      A value of 1 (default) enforces a single binding per app–service instance pair.
+      Higher values enable multiple bindings, e.g. for credential rotation without app redeployments.
+      Must be an integer greater than or equal to 1.
+
   cc.max_annotations_per_resource:
     description: "Maximum number of annotations allowed on any single resource. Too many annotations may degrade performance of annotation selectors."
     default: 200
diff --git a/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb b/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb
index a8dfdd3f5d..53a9250ac1 100644
--- a/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb
+++ b/jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb
@@ -565,6 +565,7 @@ diego:
 perm:
   enabled: false
 
+max_service_credential_bindings_per_app_service_instance: <%= p("cc.max_service_credential_bindings_per_app_service_instance") %>
 max_labels_per_resource: <%= p("cc.max_labels_per_resource") %>
 max_annotations_per_resource: <%= p("cc.max_annotations_per_resource") %>
 
diff --git a/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb b/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb
index 7583a43b37..e577ef10e5 100644
--- a/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb
+++ b/jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb
@@ -353,6 +353,8 @@ internal_route_vip_range: <%= internal_vip_range %>
 
 disable_private_domain_cross_space_context_path_route_sharing: <%= link("cloud_controller_internal").p("cc.disable_private_domain_cross_space_context_path_route_sharing") %>
 
+max_service_credential_bindings_per_app_service_instance: <%= link("cloud_controller_internal").p("cc.max_service_credential_bindings_per_app_service_instance") %>
+
 max_labels_per_resource: <%= link("cloud_controller_internal").p("cc.max_labels_per_resource") %>
 max_annotations_per_resource: <%= link("cloud_controller_internal").p("cc.max_annotations_per_resource") %>
 custom_metric_tag_prefix_list: <%= link("cloud_controller_internal").p("cc.custom_metric_tag_prefix_list") %>
diff --git a/spec/cloud_controller_ng/cloud_controller_ng_spec.rb b/spec/cloud_controller_ng/cloud_controller_ng_spec.rb
index 6f4855f6ac..5dbedc6888 100644
--- a/spec/cloud_controller_ng/cloud_controller_ng_spec.rb
+++ b/spec/cloud_controller_ng/cloud_controller_ng_spec.rb
@@ -993,6 +993,22 @@ module Test
               end
             end
           end
+
+          context 'with max_service_credential_bindings_per_app_service_instance parameter' do
+            it 'defaults to 1' do
+              template_hash = YAML.safe_load(template.render(merged_manifest_properties, consumes: links))
+              expect(template_hash['max_service_credential_bindings_per_app_service_instance']).to eq(1)
+            end
+
+            context 'when set in the manifest' do
+              before { merged_manifest_properties['cc']['max_service_credential_bindings_per_app_service_instance'] = 5 }
+
+              it 'renders the value from the manifest' do
+                template_hash = YAML.safe_load(template.render(merged_manifest_properties, consumes: links))
+                expect(template_hash['max_service_credential_bindings_per_app_service_instance']).to eq(5)
+              end
+            end
+          end
         end
       end
     end
diff --git a/spec/cloud_controller_worker/cloud_controller_worker_spec.rb b/spec/cloud_controller_worker/cloud_controller_worker_spec.rb
index d792902b9a..b5e0ebfc05 100644
--- a/spec/cloud_controller_worker/cloud_controller_worker_spec.rb
+++ b/spec/cloud_controller_worker/cloud_controller_worker_spec.rb
@@ -86,7 +86,8 @@ module Test
               'packages' => {
                 'max_valid_packages_stored' => 5
               },
-              'default_app_lifecycle' => 'cnb'
+              'default_app_lifecycle' => 'cnb',
+              'max_service_credential_bindings_per_app_service_instance' => 1
             }
           }
         end