CVE-2026-33720: n8n: OAuth state forgery hijacks user credentials

GHSA-vpgc-2f6g-7w7x MEDIUM
Published March 25, 2026
CISO Take

If your n8n deployment has N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true, an attacker can social-engineer users into surrendering their OAuth tokens to an attacker-controlled credential object. Upgrade to n8n 2.8.0 immediately and audit all OAuth credentials for unexpected access. The non-default config flag is the gating factor — if you haven't explicitly set it, you are not exposed.

What is the risk?

Medium CVSS (4.2) understates operational risk for AI workflow deployments. n8n commonly integrates with high-value services — Google Workspace, Slack, OpenAI, cloud providers — via OAuth. Stolen tokens grant persistent access to connected services until manually revoked. Attack requires user interaction and non-default configuration, reducing mass-exploitation risk, but spear-phishing a single admin with this flag enabled against an AI orchestration instance is a realistic, high-value scenario.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm < 2.8.0 2.8.0
194.3K OpenSSF 6.6 Pushed 6d ago 53% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
4.2 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 8% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR None
UI Required
S Unchanged
C Low
I Low
A None

What should I do?

6 steps
  1. PATCH

    Upgrade n8n to version 2.8.0 or later immediately.

  2. CONFIG

    Remove N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true from all environment configurations and container specs.

  3. AUDIT

    Review all OAuth credentials in your n8n instance for unexpected creation timestamps or unfamiliar connected accounts.

  4. REVOKE

    If compromise is suspected, revoke and re-authorize all OAuth connections from the connected service provider side.

  5. DETECT

    Monitor n8n workflow execution logs for runs attributed to accounts inconsistent with normal operator patterns.

  6. ISOLATE

    Restrict n8n instance access to fully trusted users only until patch is applied.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2 - AI System Operation and Access Controls
NIST AI RMF
GOVERN 6.1 - Policies and Procedures for AI Risk Management
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-33720?

If your n8n deployment has N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true, an attacker can social-engineer users into surrendering their OAuth tokens to an attacker-controlled credential object. Upgrade to n8n 2.8.0 immediately and audit all OAuth credentials for unexpected access. The non-default config flag is the gating factor — if you haven't explicitly set it, you are not exposed.

Is CVE-2026-33720 actively exploited?

No confirmed active exploitation of CVE-2026-33720 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33720?

1. PATCH: Upgrade n8n to version 2.8.0 or later immediately. 2. CONFIG: Remove N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true from all environment configurations and container specs. 3. AUDIT: Review all OAuth credentials in your n8n instance for unexpected creation timestamps or unfamiliar connected accounts. 4. REVOKE: If compromise is suspected, revoke and re-authorize all OAuth connections from the connected service provider side. 5. DETECT: Monitor n8n workflow execution logs for runs attributed to accounts inconsistent with normal operator patterns. 6. ISOLATE: Restrict n8n instance access to fully trusted users only until patch is applied.

What systems are affected by CVE-2026-33720?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, LLM orchestration pipelines, API integrations.

What is the CVSS score for CVE-2026-33720?

CVE-2026-33720 has a CVSS v3.1 base score of 4.2 (MEDIUM). The EPSS exploitation probability is 0.18%.

What is the AI security impact?

Affected AI Architectures

agent frameworksworkflow automationLLM orchestration pipelinesAPI integrations

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link
AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0091.000 Application Access Token
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: GOVERN 6.1
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to version 2.8.0, when the `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK` environment variable is set to `true`, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an OAuth flow against a credential object the attacker controls, causing the victim's OAuth tokens to be stored in the attacker's credential. The attacker can then use those tokens to execute workflows in their name. This issue only affects instances where `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` is explicitly configured (non-default). The issue has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Avoid enabling `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` unless strictly required, and/ or restrict access to the n8n instance to fully trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker discovers a corporate n8n instance running with N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true (common in SSO-integrated deployments where teams disable auth on the callback to avoid redirect loop issues). The attacker creates a credential object in n8n under their account and crafts a phishing email to a legitimate n8n operator — such as a data engineer whose workflows connect Google Drive and an OpenAI integration. The email contains a link initiating an OAuth flow where the state parameter references the attacker's credential object. The victim completes the OAuth consent screen believing they are re-authorizing their own integration. Their Google OAuth tokens are silently stored in the attacker's credential. The attacker then executes workflows using the victim's identity, exfiltrating documents from connected storage, abusing LLM API quota, or pivoting to other systems accessible via the stolen tokens.

Weaknesses (CWE)

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Timeline

Published
March 25, 2026
Last Modified
March 27, 2026
First Seen
March 25, 2026

Related Vulnerabilities