EUVD-2026-15944
GHSA-c545-x2rh-82fc
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
n8n is an open source workflow automation platform. Prior to versions 2.4.0 and 1.121.0, when LDAP authentication is enabled, n8n automatically linked an LDAP identity to an existing local account if the LDAP email attribute matched the local account's email. An authenticated LDAP user who could control their own LDAP email attribute could set it to match another user's email - including an administrator's - and upon login gain full access to that account. The account linkage persisted even if the LDAP email was later reverted, resulting in a permanent account takeover. LDAP authentication must be configured and active (non-default). The issue has been fixed in n8n versions 2.4.0 and 1.121.0. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable LDAP authentication until the instance can be upgraded, restrict LDAP directory permissions so that users cannot modify their own email attributes, and/or audit existing LDAP-linked accounts for unexpected account associations. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
AnalysisAI
Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP email attribute to match a target account's email address, gaining full access that persists even after reverting the email change. This authentication bypass (CWE-287) affects n8n versions prior to 2.4.0 and 1.121.0 where LDAP is configured, and public exploit code exists. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires n8n versions before 2.4.0 or 1.121.0 with LDAP authentication enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The real-world risk is moderate to high for organizations using LDAP authentication with n8n, but limited in overall scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated LDAP user with permission to modify their own directory email attribute changes it to match an administrator's email address (e.g., admin@company.com). Upon their next login to n8n, the platform automatically links their LDAP identity to the administrator account, granting them full administrative access. … |
| Remediation | Upgrade n8n to version 2.4.0 or 1.121.0 or later to fully remediate this vulnerability, as detailed in the GitHub security advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-c545-x2rh-82fc. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit LDAP user account email modification permissions and restrict non-administrators from changing their email attributes at the directory level; document all n8n administrator accounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today