The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33665

CVE-2026-33665: n8n LDAP Authentication Bypass Vulnerability

CVE-2026-33665 is an authentication bypass flaw in n8n's LDAP integration that enables attackers to hijack accounts by manipulating email attributes. This article covers technical details, affected versions, and mitigation.

Published: March 27, 2026

CVE-2026-33665 Overview

CVE-2026-33665 is an authentication bypass vulnerability in n8n, an open source workflow automation platform. The vulnerability exists in the LDAP authentication mechanism, where n8n automatically links an LDAP identity to an existing local account if the LDAP email attribute matches the local account's email address. An authenticated LDAP user who can control their own LDAP email attribute can set it to match another user's email—including an administrator's—and upon login, gain full access to that account. The account linkage persists even if the LDAP email is later reverted, resulting in a permanent account takeover.

Critical Impact

Authenticated LDAP users can escalate privileges to administrator level and maintain persistent access to compromised accounts even after reverting their LDAP email attribute changes.

Affected Products

  • n8n versions prior to 2.4.0
  • n8n versions prior to 1.121.0
  • n8n installations with LDAP authentication enabled

Discovery Timeline

  • 2026-03-25 - CVE-2026-33665 published to NVD
  • 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-33665

Vulnerability Analysis

This vulnerability stems from improper authentication handling (CWE-287) in n8n's LDAP integration. The core issue lies in the automatic account linking logic that trusts LDAP-provided email attributes without adequate verification or authorization checks. When LDAP authentication is enabled, the platform performs email-based matching to link LDAP identities with existing local accounts.

The attack requires LDAP authentication to be configured and active (which is non-default), and the attacker must have the ability to modify their own LDAP email attribute within the directory service. While these prerequisites limit the attack surface, the impact is severe when exploited—allowing complete administrative account takeover with persistent access.

Root Cause

The root cause is improper trust placed in user-controllable LDAP attributes during the account linking process. The n8n platform assumes that email addresses provided via LDAP are authoritative and can be used to automatically associate LDAP identities with pre-existing local accounts. This design flaw fails to consider that in many LDAP configurations, users may have the ability to modify their own email attributes, creating a path for privilege escalation.

Additionally, the account linkage mechanism lacks proper revocation logic—once an LDAP identity is linked to a local account, this association persists even if the LDAP email attribute is subsequently changed, making the takeover permanent.

Attack Vector

The attack is network-based and requires low privileges (an authenticated LDAP user account) but no user interaction. The attack proceeds as follows:

  1. The attacker identifies the email address of a target user, preferably an administrator
  2. The attacker modifies their own LDAP email attribute to match the target's email address
  3. Upon the next LDAP authentication, n8n automatically links the attacker's LDAP identity to the target's local account
  4. The attacker gains full access to the target account, including all administrative privileges
  5. Even if the attacker reverts their LDAP email attribute to its original value, the account linkage remains, providing persistent unauthorized access

The vulnerability does not require the attacker to know the target's password—only their email address and the ability to modify LDAP attributes.

Detection Methods for CVE-2026-33665

Indicators of Compromise

  • Unexpected LDAP account associations in the n8n user database
  • Multiple LDAP identities linked to a single local account, particularly administrator accounts
  • Audit logs showing LDAP email attribute changes followed by successful authentication to different local accounts
  • Administrative account access from LDAP users who should not have such privileges

Detection Strategies

  • Monitor LDAP directory logs for email attribute modifications, especially changes to values matching existing n8n account emails
  • Implement alerting on new LDAP-to-local account linkages, particularly for privileged accounts
  • Review n8n authentication logs for patterns where users authenticate via LDAP but access accounts not originally assigned to them
  • Deploy behavioral analysis to detect users accessing resources or performing actions inconsistent with their normal role

Monitoring Recommendations

  • Enable comprehensive audit logging for LDAP attribute changes in your directory service
  • Configure alerts for any modifications to administrator account associations
  • Establish baseline user behavior profiles to detect anomalous access patterns post-compromise
  • Regularly audit LDAP-linked accounts to verify expected associations

How to Mitigate CVE-2026-33665

Immediate Actions Required

  • Upgrade n8n to version 2.4.0 or 1.121.0 or later immediately
  • Audit all existing LDAP-linked accounts for unexpected or unauthorized associations
  • Review administrator account associations to ensure no unauthorized LDAP identities have been linked
  • Consider resetting compromised accounts and revoking associated sessions if suspicious linkages are discovered

Patch Information

The vulnerability has been fixed in n8n versions 2.4.0 and 1.121.0. Users should upgrade to one of these versions or later to fully remediate the vulnerability. For detailed information about the security fix, refer to the GitHub Security Advisory.

Workarounds

  • Disable LDAP authentication entirely until the instance can be upgraded to a patched version
  • Restrict LDAP directory permissions so that users cannot modify their own email attributes
  • Implement additional access controls at the directory level to prevent unauthorized attribute changes
  • Audit existing LDAP-linked accounts for unexpected account associations and remove suspicious linkages manually

If upgrading is not immediately possible, these workarounds provide temporary risk reduction but do not fully remediate the vulnerability. They should only be used as short-term mitigation measures while planning the upgrade to a patched version.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechN8n
  • SeverityHIGH
  • CVSS Score8.8
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-287
  • Technical References
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-33722: n8n Workflow Automation Auth Bypass Flaw
  • CVE-2026-33663: n8n Auth Bypass Vulnerability
  • CVE-2026-33720: n8n Workflow Auth Bypass Vulnerability
  • CVE-2026-33751: n8n LDAP Injection Auth Bypass Flaw
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English