CVE-2026-45732: n8n: OAuth token hijack via credential permission bypass

GHSA-6h4j-wcr9-2vg7 HIGH
Published May 14, 2026
CISO Take

n8n's OAuth credential reconnect endpoints incorrectly authorized access using credential:read instead of credential:update, allowing any authenticated user with read-only access to a shared credential to overwrite its stored OAuth tokens with tokens bound to an external account they control. In n8n environments used as AI workflow orchestrators or agent platforms — common in enterprise AI automation stacks — this means a low-privilege insider or compromised account can silently redirect all downstream workflow executions to attacker-controlled services, persisting indefinitely until the token replacement is manually detected. With 80 prior CVEs in the same package, an OpenSSF score of only 6.1/10, and 16 downstream dependents, the security posture of n8n warrants heightened scrutiny beyond this single advisory. Upgrade immediately to n8n 1.123.43, 2.20.7, or 2.21.1; if patching is delayed, restrict credential sharing to fully trusted users and audit all shared OAuth credentials for unexpected token changes.

Sources: GitHub Advisory NVD ATLAS OpenSSF

What is the risk?

High risk for organizations using n8n as an AI workflow orchestrator or agent automation platform with shared credentials across teams or projects. The exploit requires only low privileges (a valid authenticated account with credential:read access), no user interaction, and achieves cross-scope impact (S:C in CVSS 3.1 terms). No public exploit code exists and the vulnerability is not in CISA KEV, but the attack concept is straightforward and requires no specialized AI/ML knowledge. The persistent nature of the takeover — workflows continue executing under attacker OAuth identity until manually audited — amplifies the blast radius significantly, especially in multi-tenant deployments where credential sharing is the default operational pattern.

How does the attack unfold?

Credential Discovery
Attacker with a valid low-privilege n8n account enumerates shared OAuth credentials accessible via credential:read permission across projects or teams
AML.T0012
Authorization Bypass
Attacker calls the OAuth1/OAuth2 reconnect endpoint, which incorrectly accepts credential:read instead of requiring credential:update, bypassing the intended authorization gate without triggering any access control violation
AML.T0106
Token Replacement
Attacker completes the OAuth flow using their own external account, silently overwriting the shared credential's stored OAuth tokens with attacker-controlled tokens bound to their identity
AML.T0091.000
Persistent Data Exfiltration
All subsequent n8n workflow executions using the hijacked credential run under the attacker's OAuth identity, redirecting AI-processed data to attacker-controlled external services while appearing as normal operational activity
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm < 1.123.43 1.123.43
194.3K OpenSSF 6.6 Pushed 6d ago 53% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
8.1 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 23% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A None

What should I do?

6 steps
  1. Patch immediately: upgrade to n8n 1.123.43, 2.20.7, or 2.21.1.

  2. Audit shared credentials: review OAuth token metadata for all shared credentials, specifically checking for tokens bound to external accounts not matching your organization's identity provider.

  3. Revoke and reissue: proactively rotate OAuth tokens on all shared credentials as a precaution against tokens already replaced.

  4. Restrict sharing: if patching is delayed, limit credential sharing to fully trusted users only and disable cross-project credential sharing.

  5. Review workflow execution logs: examine history for unexpected data destinations, identity changes in API calls, or anomalous output behavior.

  6. Monitor connected services: audit OAuth grant lists in external services (Google, GitHub, Slack) for unauthorized application authorizations originating from n8n.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.2 - Information access control
NIST AI RMF
GOVERN 6.1 - Policies for cybersecurity and privacy risk
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-45732?

n8n's OAuth credential reconnect endpoints incorrectly authorized access using credential:read instead of credential:update, allowing any authenticated user with read-only access to a shared credential to overwrite its stored OAuth tokens with tokens bound to an external account they control. In n8n environments used as AI workflow orchestrators or agent platforms — common in enterprise AI automation stacks — this means a low-privilege insider or compromised account can silently redirect all downstream workflow executions to attacker-controlled services, persisting indefinitely until the token replacement is manually detected. With 80 prior CVEs in the same package, an OpenSSF score of only 6.1/10, and 16 downstream dependents, the security posture of n8n warrants heightened scrutiny beyond this single advisory. Upgrade immediately to n8n 1.123.43, 2.20.7, or 2.21.1; if patching is delayed, restrict credential sharing to fully trusted users and audit all shared OAuth credentials for unexpected token changes.

Is CVE-2026-45732 actively exploited?

No confirmed active exploitation of CVE-2026-45732 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45732?

1. Patch immediately: upgrade to n8n 1.123.43, 2.20.7, or 2.21.1. 2. Audit shared credentials: review OAuth token metadata for all shared credentials, specifically checking for tokens bound to external accounts not matching your organization's identity provider. 3. Revoke and reissue: proactively rotate OAuth tokens on all shared credentials as a precaution against tokens already replaced. 4. Restrict sharing: if patching is delayed, limit credential sharing to fully trusted users only and disable cross-project credential sharing. 5. Review workflow execution logs: examine history for unexpected data destinations, identity changes in API calls, or anomalous output behavior. 6. Monitor connected services: audit OAuth grant lists in external services (Google, GitHub, Slack) for unauthorized application authorizations originating from n8n.

What systems are affected by CVE-2026-45732?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, workflow orchestration pipelines, multi-tenant automation platforms, AI data integration pipelines.

What is the CVSS score for CVE-2026-45732?

CVE-2026-45732 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.32%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksworkflow orchestration pipelinesmulti-tenant automation platformsAI data integration pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0083 Credentials from AI Agent Configuration
AML.T0086 Exfiltration via AI Agent Tool Invocation
AML.T0091.000 Application Access Token
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.9.2
NIST AI RMF: GOVERN 6.1
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential with tokens bound to an external account they control. Workflows relying on the affected credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of shared integrations. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.

Exploitation Scenario

An attacker with a legitimate but low-privilege n8n account in a multi-user organization identifies a shared OAuth credential used by an AI data pipeline workflow — for example, a Google Workspace credential that ingests documents for a RAG pipeline or AI summarization workflow. The attacker calls the OAuth reconnect endpoint against that credential, which incorrectly accepts their credential:read permission as sufficient authorization. The attacker completes the OAuth flow using their own personal Google account, silently overwriting the organization's stored OAuth tokens. From this point, every n8n workflow execution using that credential runs under the attacker's Google identity: AI-processed documents are exfiltrated to the attacker's Google Drive, API calls are logged against the attacker's account, and the organization's pipeline output may be redirected or corrupted. The attack leaves minimal forensic trace in n8n itself, as all workflow executions appear operationally normal.

Weaknesses (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

  • [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
  • [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Timeline

Published
May 14, 2026
Last Modified
June 26, 2026
First Seen
May 14, 2026

Related Vulnerabilities