Skip to main content

N8n CVE-2026-33720

| EUVDEUVD-2026-15952 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-25 GitHub_M GHSA-vpgc-2f6g-7w7x
6.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
PoC Detected
Mar 27, 2026 - 19:38 vuln.today
Public exploit code
EUVD ID Assigned
Mar 25, 2026 - 18:32 euvd
EUVD-2026-15952
Analysis Generated
Mar 25, 2026 - 18:32 vuln.today
CVE Published
Mar 25, 2026 - 18:06 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

n8n is an open source workflow automation platform. Prior to version 2.8.0, when the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK environment variable is set to true, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an OAuth flow against a credential object the attacker controls, causing the victim's OAuth tokens to be stored in the attacker's credential. The attacker can then use those tokens to execute workflows in their name. This issue only affects instances where N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true is explicitly configured (non-default). The issue has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Avoid enabling N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true unless strictly required, and/ or restrict access to the n8n instance to fully trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

AnalysisAI

This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callback handler that occurs when the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK environment variable is explicitly set to true. An attacker can manipulate the OAuth state parameter verification to trick a victim into completing an OAuth flow that stores the victim's OAuth tokens in an attacker-controlled credential object, allowing the attacker to execute workflows using the victim's delegated permissions. The vulnerability affects n8n versions prior to 2.8.0 and requires non-default configuration to be exploitable, limiting its widespread impact but creating significant risk for affected deployments.

Technical ContextAI

The vulnerability is rooted in CWE-863 (Incorrect Authorization), specifically an improper authorization check in the OAuth callback handler. OAuth implementations rely on state parameters to prevent Cross-Site Request Forgery (CSRF) attacks by validating that the state returned by the authorization server matches the state originally issued to the client. In n8n, when N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true is set, the handler bypasses ownership verification of the OAuth state parameter, breaking the fundamental CSRF protection mechanism. This allows an attacker to initiate an OAuth flow, intercept the callback, and redirect the victim's authorization response to a credential object under attacker control. The affected product is n8n-io/n8n (cpe:2.3:a:n8n-io:n8n:*:*:*:*:*:*:*:*) prior to version 2.8.0.

RemediationAI

Organizations should upgrade n8n to version 2.8.0 or later, which includes the fix for OAuth state parameter ownership verification. For environments where immediate patching is not feasible, administrators should implement the following mitigations as temporary measures: disable the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK environment variable entirely (return to default secure configuration), restrict network access to the n8n instance to fully trusted users and networks only, and implement additional OAuth validation at any reverse proxy or load balancer layer if one exists. Note that these workarounds do not fully eliminate the vulnerability and should be used only until patching is completed. Refer to the vendor advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-vpgc-2f6g-7w7x for detailed guidance.

More in N8n

View all
CVE-2026-21877 CRITICAL POC
9.9 Jan 08

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with

CVE-2026-21858 CRITICAL POC
10.0 Jan 08

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical

CVE-2026-1470 CRITICAL POC
9.9 Jan 27

n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft

CVE-2026-33660 CRITICAL POC
9.4 Mar 25

An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit

CVE-2026-33665 HIGH POC
8.8 Mar 25

Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP

CVE-2023-27563 HIGH POC
8.8 May 10

The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability

CVE-2026-0863 HIGH POC
8.5 Jan 18

Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox

CVE-2023-27564 HIGH POC
7.5 May 10

The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is

CVE-2023-27562 MEDIUM POC
6.5 May 10

The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2026-33724 MEDIUM POC
6.3 Mar 25

n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allow

CVE-2026-27577 CRITICAL
9.9 Feb 25

Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path throu

CVE-2026-27495 CRITICAL
9.9 Feb 25

Code injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22 allows authenticated users to execute arbitrary c

Share

CVE-2026-33720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy