CVE-2026-45732 — HIGH | AI Threat Alert

Q: Is CVE-2026-45732 actively exploited?

No confirmed active exploitation of CVE-2026-45732 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-45732?

1. Patch immediately: upgrade to n8n 1.123.43, 2.20.7, or 2.21.1. 2. Audit shared credentials: review OAuth token metadata for all shared credentials, specifically checking for tokens bound to external accounts not matching your organization's identity provider. 3. Revoke and reissue: proactively rotate OAuth tokens on all shared credentials as a precaution against tokens already replaced. 4. Restrict sharing: if patching is delayed, limit credential sharing to fully trusted users only and disable cross-project credential sharing. 5. Review workflow execution logs: examine history for unexpected data destinations, identity changes in API calls, or anomalous output behavior. 6. Monitor connected services: audit OAuth grant lists in external services (Google, GitHub, Slack) for unauthorized application authorizations originating from n8n.

Q: What systems are affected by CVE-2026-45732?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, workflow orchestration pipelines, multi-tenant automation platforms, AI data integration pipelines.

Q: What is the CVSS score for CVE-2026-45732?

No CVSS score has been assigned yet.

CISO Take

n8n's OAuth credential reconnect endpoints incorrectly authorized access using credential:read instead of credential:update, allowing any authenticated user with read-only access to a shared credential to overwrite its stored OAuth tokens with tokens bound to an external account they control. In n8n environments used as AI workflow orchestrators or agent platforms — common in enterprise AI automation stacks — this means a low-privilege insider or compromised account can silently redirect all downstream workflow executions to attacker-controlled services, persisting indefinitely until the token replacement is manually detected. With 80 prior CVEs in the same package, an OpenSSF score of only 6.1/10, and 16 downstream dependents, the security posture of n8n warrants heightened scrutiny beyond this single advisory. Upgrade immediately to n8n 1.123.43, 2.20.7, or 2.21.1; if patching is delayed, restrict credential sharing to fully trusted users and audit all shared OAuth credentials for unexpected token changes.

Sources: GitHub Advisory NVD ATLAS OpenSSF

What is the risk?

High risk for organizations using n8n as an AI workflow orchestrator or agent automation platform with shared credentials across teams or projects. The exploit requires only low privileges (a valid authenticated account with credential:read access), no user interaction, and achieves cross-scope impact (S:C in CVSS 3.1 terms). No public exploit code exists and the vulnerability is not in CISA KEV, but the attack concept is straightforward and requires no specialized AI/ML knowledge. The persistent nature of the takeover — workflows continue executing under attacker OAuth identity until manually audited — amplifies the blast radius significantly, especially in multi-tenant deployments where credential sharing is the default operational pattern.

Attack Kill Chain

Credential Discovery

Attacker with a valid low-privilege n8n account enumerates shared OAuth credentials accessible via credential:read permission across projects or teams

AML.T0012

Authorization Bypass

Attacker calls the OAuth1/OAuth2 reconnect endpoint, which incorrectly accepts credential:read instead of requiring credential:update, bypassing the intended authorization gate without triggering any access control violation

AML.T0106

Token Replacement

Attacker completes the OAuth flow using their own external account, silently overwriting the shared credential's stored OAuth tokens with attacker-controlled tokens bound to their identity

AML.T0091.000

Persistent Data Exfiltration

All subsequent n8n workflow executions using the hijacked credential run under the attacker's OAuth identity, redirecting AI-processed data to attacker-controlled external services while appearing as normal operational activity

AML.T0086

Credential Discovery

Attacker with a valid low-privilege n8n account enumerates shared OAuth credentials accessible via credential:read permission across projects or teams

AML.T0012

Authorization Bypass

Attacker calls the OAuth1/OAuth2 reconnect endpoint, which incorrectly accepts credential:read instead of requiring credential:update, bypassing the intended authorization gate without triggering any access control violation

AML.T0106

Token Replacement

Attacker completes the OAuth flow using their own external account, silently overwriting the shared credential's stored OAuth tokens with attacker-controlled tokens bound to their identity

AML.T0091.000

Persistent Data Exfiltration

All subsequent n8n workflow executions using the hijacked credential run under the attacker's OAuth identity, redirecting AI-processed data to attacker-controlled external services while appearing as normal operational activity

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.43	`1.123.43`
187.3K OpenSSF 6.1 16 dependents Pushed 4d ago 43% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Patch immediately: upgrade to n8n 1.123.43, 2.20.7, or 2.21.1.
Audit shared credentials: review OAuth token metadata for all shared credentials, specifically checking for tokens bound to external accounts not matching your organization's identity provider.
Revoke and reissue: proactively rotate OAuth tokens on all shared credentials as a precaution against tokens already replaced.
Restrict sharing: if patching is delayed, limit credential sharing to fully trusted users only and disable cross-project credential sharing.
Review workflow execution logs: examine history for unexpected data destinations, identity changes in API calls, or anomalous output behavior.
Monitor connected services: audit OAuth grant lists in external services (Google, GitHub, Slack) for unauthorized application authorizations originating from n8n.

Classification

Auth Bypass Data Extraction Agent API AML.T0012 - Valid Accounts AML.T0083 - Credentials from AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0091.000 - Application Access Token AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.2 - Information access control

NIST AI RMF

GOVERN 6.1 - Policies for cybersecurity and privacy risk

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-45732?

n8n's OAuth credential reconnect endpoints incorrectly authorized access using credential:read instead of credential:update, allowing any authenticated user with read-only access to a shared credential to overwrite its stored OAuth tokens with tokens bound to an external account they control. In n8n environments used as AI workflow orchestrators or agent platforms — common in enterprise AI automation stacks — this means a low-privilege insider or compromised account can silently redirect all downstream workflow executions to attacker-controlled services, persisting indefinitely until the token replacement is manually detected. With 80 prior CVEs in the same package, an OpenSSF score of only 6.1/10, and 16 downstream dependents, the security posture of n8n warrants heightened scrutiny beyond this single advisory. Upgrade immediately to n8n 1.123.43, 2.20.7, or 2.21.1; if patching is delayed, restrict credential sharing to fully trusted users and audit all shared OAuth credentials for unexpected token changes.

Is CVE-2026-45732 actively exploited?

No confirmed active exploitation of CVE-2026-45732 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45732?

1. Patch immediately: upgrade to n8n 1.123.43, 2.20.7, or 2.21.1. 2. Audit shared credentials: review OAuth token metadata for all shared credentials, specifically checking for tokens bound to external accounts not matching your organization's identity provider. 3. Revoke and reissue: proactively rotate OAuth tokens on all shared credentials as a precaution against tokens already replaced. 4. Restrict sharing: if patching is delayed, limit credential sharing to fully trusted users only and disable cross-project credential sharing. 5. Review workflow execution logs: examine history for unexpected data destinations, identity changes in API calls, or anomalous output behavior. 6. Monitor connected services: audit OAuth grant lists in external services (Google, GitHub, Slack) for unauthorized application authorizations originating from n8n.

What systems are affected by CVE-2026-45732?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, workflow orchestration pipelines, multi-tenant automation platforms, AI data integration pipelines.

What is the CVSS score for CVE-2026-45732?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact The OAuth1 and OAuth2 credential reconnect endpoints authorized access using `credential:read` rather than `credential:update`. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential with tokens bound to an external account they control. Workflows relying on the affected credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of shared integrations. This issue affects instances where credentials are shared with other users or across projects. ## Patches The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.21.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Restrict credential sharing to fully trusted users only. - Audit shared credentials for unexpected OAuth token changes and revoke any tokens that may have been replaced. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. --- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Exploitation Scenario

An attacker with a legitimate but low-privilege n8n account in a multi-user organization identifies a shared OAuth credential used by an AI data pipeline workflow — for example, a Google Workspace credential that ingests documents for a RAG pipeline or AI summarization workflow. The attacker calls the OAuth reconnect endpoint against that credential, which incorrectly accepts their credential:read permission as sufficient authorization. The attacker completes the OAuth flow using their own personal Google account, silently overwriting the organization's stored OAuth tokens. From this point, every n8n workflow execution using that credential runs under the attacker's Google identity: AI-processed documents are exfiltrated to the attacker's Google Drive, API calls are logged against the attacker's account, and the organization's pipeline output may be redirected or corrupted. The attack leaves minimal forensic trace in n8n itself, as all workflow executions appear operationally normal.