n8n's OAuth credential reconnect endpoints incorrectly authorized access using credential:read instead of credential:update, allowing any authenticated user with read-only access to a shared credential to overwrite its stored OAuth tokens with tokens bound to an external account they control. In n8n environments used as AI workflow orchestrators or agent platforms — common in enterprise AI automation stacks — this means a low-privilege insider or compromised account can silently redirect all downstream workflow executions to attacker-controlled services, persisting indefinitely until the token replacement is manually detected. With 80 prior CVEs in the same package, an OpenSSF score of only 6.1/10, and 16 downstream dependents, the security posture of n8n warrants heightened scrutiny beyond this single advisory. Upgrade immediately to n8n 1.123.43, 2.20.7, or 2.21.1; if patching is delayed, restrict credential sharing to fully trusted users and audit all shared OAuth credentials for unexpected token changes.
What is the risk?
High risk for organizations using n8n as an AI workflow orchestrator or agent automation platform with shared credentials across teams or projects. The exploit requires only low privileges (a valid authenticated account with credential:read access), no user interaction, and achieves cross-scope impact (S:C in CVSS 3.1 terms). No public exploit code exists and the vulnerability is not in CISA KEV, but the attack concept is straightforward and requires no specialized AI/ML knowledge. The persistent nature of the takeover — workflows continue executing under attacker OAuth identity until manually audited — amplifies the blast radius significantly, especially in multi-tenant deployments where credential sharing is the default operational pattern.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | < 1.123.43 | 1.123.43 |
Do you use n8n? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Patch immediately: upgrade to n8n 1.123.43, 2.20.7, or 2.21.1.
-
Audit shared credentials: review OAuth token metadata for all shared credentials, specifically checking for tokens bound to external accounts not matching your organization's identity provider.
-
Revoke and reissue: proactively rotate OAuth tokens on all shared credentials as a precaution against tokens already replaced.
-
Restrict sharing: if patching is delayed, limit credential sharing to fully trusted users only and disable cross-project credential sharing.
-
Review workflow execution logs: examine history for unexpected data destinations, identity changes in API calls, or anomalous output behavior.
-
Monitor connected services: audit OAuth grant lists in external services (Google, GitHub, Slack) for unauthorized application authorizations originating from n8n.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45732?
n8n's OAuth credential reconnect endpoints incorrectly authorized access using credential:read instead of credential:update, allowing any authenticated user with read-only access to a shared credential to overwrite its stored OAuth tokens with tokens bound to an external account they control. In n8n environments used as AI workflow orchestrators or agent platforms — common in enterprise AI automation stacks — this means a low-privilege insider or compromised account can silently redirect all downstream workflow executions to attacker-controlled services, persisting indefinitely until the token replacement is manually detected. With 80 prior CVEs in the same package, an OpenSSF score of only 6.1/10, and 16 downstream dependents, the security posture of n8n warrants heightened scrutiny beyond this single advisory. Upgrade immediately to n8n 1.123.43, 2.20.7, or 2.21.1; if patching is delayed, restrict credential sharing to fully trusted users and audit all shared OAuth credentials for unexpected token changes.
Is CVE-2026-45732 actively exploited?
No confirmed active exploitation of CVE-2026-45732 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-45732?
1. Patch immediately: upgrade to n8n 1.123.43, 2.20.7, or 2.21.1. 2. Audit shared credentials: review OAuth token metadata for all shared credentials, specifically checking for tokens bound to external accounts not matching your organization's identity provider. 3. Revoke and reissue: proactively rotate OAuth tokens on all shared credentials as a precaution against tokens already replaced. 4. Restrict sharing: if patching is delayed, limit credential sharing to fully trusted users only and disable cross-project credential sharing. 5. Review workflow execution logs: examine history for unexpected data destinations, identity changes in API calls, or anomalous output behavior. 6. Monitor connected services: audit OAuth grant lists in external services (Google, GitHub, Slack) for unauthorized application authorizations originating from n8n.
What systems are affected by CVE-2026-45732?
This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, workflow orchestration pipelines, multi-tenant automation platforms, AI data integration pipelines.
What is the CVSS score for CVE-2026-45732?
CVE-2026-45732 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.32%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0083 Credentials from AI Agent Configuration AML.T0086 Exfiltration via AI Agent Tool Invocation AML.T0091.000 Application Access Token AML.T0106 Exploitation for Credential Access Compliance Controls Affected
What are the technical details?
Original Advisory
n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential with tokens bound to an external account they control. Workflows relying on the affected credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of shared integrations. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.
Exploitation Scenario
An attacker with a legitimate but low-privilege n8n account in a multi-user organization identifies a shared OAuth credential used by an AI data pipeline workflow — for example, a Google Workspace credential that ingests documents for a RAG pipeline or AI summarization workflow. The attacker calls the OAuth reconnect endpoint against that credential, which incorrectly accepts their credential:read permission as sufficient authorization. The attacker completes the OAuth flow using their own personal Google account, silently overwriting the organization's stored OAuth tokens. From this point, every n8n workflow execution using that credential runs under the attacker's Google identity: AI-processed documents are exfiltrated to the attacker's Google Drive, API calls are logged against the attacker's account, and the organization's pipeline output may be redirected or corrupted. The attack leaves minimal forensic trace in n8n itself, as all workflow executions appear operationally normal.
Weaknesses (CWE)
CWE-639 Authorization Bypass Through User-Controlled Key
Primary
CWE-639 Authorization Bypass Through User-Controlled Key
Primary
CWE-639 Authorization Bypass Through User-Controlled Key CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
- [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
- [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2026-33663 10.0 n8n: member role steals plaintext HTTP credentials
Same package: n8n CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same package: n8n CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same package: n8n CVE-2026-27577 9.9 n8n: Code Injection enables RCE
Same package: n8n CVE-2026-27494 9.9 n8n: security flaw enables exploitation
Same package: n8n