If your n8n deployment has N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true, an attacker can social-engineer users into surrendering their OAuth tokens to an attacker-controlled credential object. Upgrade to n8n 2.8.0 immediately and audit all OAuth credentials for unexpected access. The non-default config flag is the gating factor — if you haven't explicitly set it, you are not exposed.
What is the risk?
Medium CVSS (4.2) understates operational risk for AI workflow deployments. n8n commonly integrates with high-value services — Google Workspace, Slack, OpenAI, cloud providers — via OAuth. Stolen tokens grant persistent access to connected services until manually revoked. Attack requires user interaction and non-default configuration, reducing mass-exploitation risk, but spear-phishing a single admin with this flag enabled against an AI orchestration instance is a realistic, high-value scenario.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | < 2.8.0 | 2.8.0 |
Do you use n8n? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
PATCH
Upgrade n8n to version 2.8.0 or later immediately.
-
CONFIG
Remove N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true from all environment configurations and container specs.
-
AUDIT
Review all OAuth credentials in your n8n instance for unexpected creation timestamps or unfamiliar connected accounts.
-
REVOKE
If compromise is suspected, revoke and re-authorize all OAuth connections from the connected service provider side.
-
DETECT
Monitor n8n workflow execution logs for runs attributed to accounts inconsistent with normal operator patterns.
-
ISOLATE
Restrict n8n instance access to fully trusted users only until patch is applied.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-33720?
If your n8n deployment has N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true, an attacker can social-engineer users into surrendering their OAuth tokens to an attacker-controlled credential object. Upgrade to n8n 2.8.0 immediately and audit all OAuth credentials for unexpected access. The non-default config flag is the gating factor — if you haven't explicitly set it, you are not exposed.
Is CVE-2026-33720 actively exploited?
No confirmed active exploitation of CVE-2026-33720 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-33720?
1. PATCH: Upgrade n8n to version 2.8.0 or later immediately. 2. CONFIG: Remove N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true from all environment configurations and container specs. 3. AUDIT: Review all OAuth credentials in your n8n instance for unexpected creation timestamps or unfamiliar connected accounts. 4. REVOKE: If compromise is suspected, revoke and re-authorize all OAuth connections from the connected service provider side. 5. DETECT: Monitor n8n workflow execution logs for runs attributed to accounts inconsistent with normal operator patterns. 6. ISOLATE: Restrict n8n instance access to fully trusted users only until patch is applied.
What systems are affected by CVE-2026-33720?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, LLM orchestration pipelines, API integrations.
What is the CVSS score for CVE-2026-33720?
CVE-2026-33720 has a CVSS v3.1 base score of 4.2 (MEDIUM). The EPSS exploitation probability is 0.18%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0011.003 Malicious Link AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0091.000 Application Access Token AML.T0106 Exploitation for Credential Access Compliance Controls Affected
What are the technical details?
Original Advisory
n8n is an open source workflow automation platform. Prior to version 2.8.0, when the `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK` environment variable is set to `true`, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an OAuth flow against a credential object the attacker controls, causing the victim's OAuth tokens to be stored in the attacker's credential. The attacker can then use those tokens to execute workflows in their name. This issue only affects instances where `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` is explicitly configured (non-default). The issue has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Avoid enabling `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` unless strictly required, and/ or restrict access to the n8n instance to fully trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Exploitation Scenario
An attacker discovers a corporate n8n instance running with N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true (common in SSO-integrated deployments where teams disable auth on the callback to avoid redirect loop issues). The attacker creates a credential object in n8n under their account and crafts a phishing email to a legitimate n8n operator — such as a data engineer whose workflows connect Google Drive and an OpenAI integration. The email contains a link initiating an OAuth flow where the state parameter references the attacker's credential object. The victim completes the OAuth consent screen believing they are re-authorizing their own integration. Their Google OAuth tokens are silently stored in the attacker's credential. The attacker then executes workflows using the victim's identity, exfiltrating documents from connected storage, abusing LLM API quota, or pivoting to other systems accessible via the stolen tokens.
Weaknesses (CWE)
CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2026-33663 10.0 n8n: member role steals plaintext HTTP credentials
Same package: n8n CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same package: n8n CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same package: n8n CVE-2026-27577 9.9 n8n: Code Injection enables RCE
Same package: n8n CVE-2026-27494 9.9 n8n: security flaw enables exploitation
Same package: n8n