Skip to main content

n8n CVE-2026-45732

| EUVDEUVD-2026-38482 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-14 https://github.com/n8n-io/n8n GHSA-6h4j-wcr9-2vg7
8.3
CVSS 4.0 · Vendor: https://github.com/n8n-io/n8n
Share

Severity by source

Vendor (https://github.com/n8n-io/n8n) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Network-reachable API, low-complexity call, requires a low-privilege authenticated user with credential:read; scope changes to external OAuth-connected systems and integrity is high while confidentiality and availability are not directly impacted.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Primary rating from Vendor (https://github.com/n8n-io/n8n).

CVSS VectorVendor: https://github.com/n8n-io/n8n

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
Analysis Updated
Jun 23, 2026 - 18:47 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 18:45 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 18:44 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 18:44 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jun 23, 2026 - 18:22 NVD
8.3 (HIGH)
Source Code Evidence Fetched
May 14, 2026 - 17:02 vuln.today
Analysis Generated
May 14, 2026 - 17:02 vuln.today
CVE Published
May 14, 2026 - 16:18 nvd
HIGH

DescriptionCVE.org

Impact

The OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential with tokens bound to an external account they control. Workflows relying on the affected credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of shared integrations.

This issue affects instances where credentials are shared with other users or across projects.

Patches

The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.21.1. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

  • Restrict credential sharing to fully trusted users only.
  • Audit shared credentials for unexpected OAuth token changes and revoke any tokens that may have been replaced.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

--- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

AnalysisAI

Cross-user authorization bypass in n8n's OAuth1/OAuth2 credential reconnect endpoints allows authenticated users with read-only access to shared credentials to overwrite stored OAuth tokens with attacker-controlled ones. Affects n8n versions prior to 1.123.43, 2.20.7, and 2.21.1 where credentials are shared between users or projects. No public exploit identified at time of analysis, and EPSS score is low (0.04%), but the flaw enables persistent hijacking of shared integrations and downstream workflow execution under the attacker's identity.

Technical ContextAI

n8n is a popular open-source workflow automation platform (npm package 'n8n') that lets users connect third-party services via OAuth-based credentials. The vulnerability is a CWE-639 Authorization Bypass Through User-Controlled Key: the OAuth1 and OAuth2 credential reconnect endpoints performed authorization using the 'credential:read' scope/permission check instead of the stricter 'credential:update' check. Because reconnect flows mutate stored token material, this mismatch lets any principal with read access drive a token rewrite. The CPE references confirm three affected npm release lines (1.x, 2.x stable, and 2.x rc), reflecting that the broken permission check existed across multiple branches of the codebase.

RemediationAI

Vendor-released patches are available: upgrade to n8n 1.123.43, 2.20.7, or 2.21.1 (or later) depending on the release line in use, as published in GHSA-6h4j-wcr9-2vg7 (https://github.com/n8n-io/n8n/security/advisories/GHSA-6h4j-wcr9-2vg7). If immediate upgrade is not feasible, restrict credential sharing to fully trusted users only - accepting the trade-off that team workflows depending on shared credentials may need to be reassigned to individually-owned credentials - and audit shared OAuth credentials for unexpected token changes or unfamiliar OAuth account bindings, revoking and re-issuing any tokens suspected of having been replaced. These workarounds are partial and should not substitute for the patch.

Share

CVE-2026-45732 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy