CVE-2026-33720 — MEDIUM (CVSS 4.2)

Q: Is CVE-2026-33720 actively exploited?

No confirmed active exploitation of CVE-2026-33720 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-33720?

1. PATCH: Upgrade n8n to version 2.8.0 or later immediately. 2. CONFIG: Remove N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true from all environment configurations and container specs. 3. AUDIT: Review all OAuth credentials in your n8n instance for unexpected creation timestamps or unfamiliar connected accounts. 4. REVOKE: If compromise is suspected, revoke and re-authorize all OAuth connections from the connected service provider side. 5. DETECT: Monitor n8n workflow execution logs for runs attributed to accounts inconsistent with normal operator patterns. 6. ISOLATE: Restrict n8n instance access to fully trusted users only until patch is applied.

Q: What systems are affected by CVE-2026-33720?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, LLM orchestration pipelines, API integrations.

Q: What is the CVSS score for CVE-2026-33720?

CVE-2026-33720 has a CVSS v3.1 base score of 4.2 (MEDIUM). The EPSS exploitation probability is 0.01%.

CISO Take

If your n8n deployment has N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true, an attacker can social-engineer users into surrendering their OAuth tokens to an attacker-controlled credential object. Upgrade to n8n 2.8.0 immediately and audit all OAuth credentials for unexpected access. The non-default config flag is the gating factor — if you haven't explicitly set it, you are not exposed.

What is the risk?

Medium CVSS (4.2) understates operational risk for AI workflow deployments. n8n commonly integrates with high-value services — Google Workspace, Slack, OpenAI, cloud providers — via OAuth. Stolen tokens grant persistent access to connected services until manually revoked. Attack requires user interaction and non-default configuration, reducing mass-exploitation risk, but spear-phishing a single admin with this flag enabled against an AI orchestration instance is a realistic, high-value scenario.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 2.8.0	`2.8.0`
187.3K OpenSSF 6.1 16 dependents Pushed 5d ago 43% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

4.2 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC High

PR None

UI Required

S Unchanged

C Low

I Low

A None

What should I do?

6 steps

PATCH

Upgrade n8n to version 2.8.0 or later immediately.
CONFIG

Remove N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true from all environment configurations and container specs.
AUDIT

Review all OAuth credentials in your n8n instance for unexpected creation timestamps or unfamiliar connected accounts.
REVOKE

If compromise is suspected, revoke and re-authorize all OAuth connections from the connected service provider side.
DETECT

Monitor n8n workflow execution logs for runs attributed to accounts inconsistent with normal operator patterns.
ISOLATE

Restrict n8n instance access to fully trusted users only until patch is applied.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Social Engineering Data Extraction Agent Framework API AML.T0011.003 - Malicious Link AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0091.000 - Application Access Token AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2 - AI System Operation and Access Controls

NIST AI RMF

GOVERN 6.1 - Policies and Procedures for AI Risk Management

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-33720?

If your n8n deployment has N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true, an attacker can social-engineer users into surrendering their OAuth tokens to an attacker-controlled credential object. Upgrade to n8n 2.8.0 immediately and audit all OAuth credentials for unexpected access. The non-default config flag is the gating factor — if you haven't explicitly set it, you are not exposed.

Is CVE-2026-33720 actively exploited?

No confirmed active exploitation of CVE-2026-33720 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33720?

1. PATCH: Upgrade n8n to version 2.8.0 or later immediately. 2. CONFIG: Remove N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true from all environment configurations and container specs. 3. AUDIT: Review all OAuth credentials in your n8n instance for unexpected creation timestamps or unfamiliar connected accounts. 4. REVOKE: If compromise is suspected, revoke and re-authorize all OAuth connections from the connected service provider side. 5. DETECT: Monitor n8n workflow execution logs for runs attributed to accounts inconsistent with normal operator patterns. 6. ISOLATE: Restrict n8n instance access to fully trusted users only until patch is applied.

What systems are affected by CVE-2026-33720?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, LLM orchestration pipelines, API integrations.

What is the CVSS score for CVE-2026-33720?

CVE-2026-33720 has a CVSS v3.1 base score of 4.2 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to version 2.8.0, when the `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK` environment variable is set to `true`, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an OAuth flow against a credential object the attacker controls, causing the victim's OAuth tokens to be stored in the attacker's credential. The attacker can then use those tokens to execute workflows in their name. This issue only affects instances where `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` is explicitly configured (non-default). The issue has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Avoid enabling `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` unless strictly required, and/ or restrict access to the n8n instance to fully trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker discovers a corporate n8n instance running with N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true (common in SSO-integrated deployments where teams disable auth on the callback to avoid redirect loop issues). The attacker creates a credential object in n8n under their account and crafts a phishing email to a legitimate n8n operator — such as a data engineer whose workflows connect Google Drive and an OpenAI integration. The email contains a link initiating an OAuth flow where the state parameter references the attacker's credential object. The victim completes the OAuth consent screen believing they are re-authorizing their own integration. Their Google OAuth tokens are silently stored in the attacker's credential. The attacker then executes workflows using the victim's identity, exfiltrating documents from connected storage, abusing LLM API quota, or pivoting to other systems accessible via the stolen tokens.