Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable API, low-complexity call, requires a low-privilege authenticated user with credential:read; scope changes to external OAuth-connected systems and integrity is high while confidentiality and availability are not directly impacted.
Primary rating from Vendor (https://github.com/n8n-io/n8n).
CVSS VectorVendor: https://github.com/n8n-io/n8n
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
Impact
The OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential with tokens bound to an external account they control. Workflows relying on the affected credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of shared integrations.
This issue affects instances where credentials are shared with other users or across projects.
Patches
The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.21.1. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Restrict credential sharing to fully trusted users only.
- Audit shared credentials for unexpected OAuth token changes and revoke any tokens that may have been replaced.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
--- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
AnalysisAI
Cross-user authorization bypass in n8n's OAuth1/OAuth2 credential reconnect endpoints allows authenticated users with read-only access to shared credentials to overwrite stored OAuth tokens with attacker-controlled ones. Affects n8n versions prior to 1.123.43, 2.20.7, and 2.21.1 where credentials are shared between users or projects. No public exploit identified at time of analysis, and EPSS score is low (0.04%), but the flaw enables persistent hijacking of shared integrations and downstream workflow execution under the attacker's identity.
Technical ContextAI
n8n is a popular open-source workflow automation platform (npm package 'n8n') that lets users connect third-party services via OAuth-based credentials. The vulnerability is a CWE-639 Authorization Bypass Through User-Controlled Key: the OAuth1 and OAuth2 credential reconnect endpoints performed authorization using the 'credential:read' scope/permission check instead of the stricter 'credential:update' check. Because reconnect flows mutate stored token material, this mismatch lets any principal with read access drive a token rewrite. The CPE references confirm three affected npm release lines (1.x, 2.x stable, and 2.x rc), reflecting that the broken permission check existed across multiple branches of the codebase.
RemediationAI
Vendor-released patches are available: upgrade to n8n 1.123.43, 2.20.7, or 2.21.1 (or later) depending on the release line in use, as published in GHSA-6h4j-wcr9-2vg7 (https://github.com/n8n-io/n8n/security/advisories/GHSA-6h4j-wcr9-2vg7). If immediate upgrade is not feasible, restrict credential sharing to fully trusted users only - accepting the trade-off that team workflows depending on shared credentials may need to be reassigned to individually-owned credentials - and audit shared OAuth credentials for unexpected token changes or unfamiliar OAuth account bindings, revoking and re-issuing any tokens suspected of having been replaced. These workarounds are partial and should not substitute for the patch.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38482
GHSA-6h4j-wcr9-2vg7