CVE-2026-33720 Overview
CVE-2026-33720 is an authorization bypass vulnerability in n8n, an open source workflow automation platform. When the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK environment variable is set to true, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an OAuth flow against a credential object the attacker controls, causing the victim's OAuth tokens to be stored in the attacker's credential. The attacker can then use those tokens to execute workflows in the victim's name.
Critical Impact
Attackers can steal OAuth tokens from victims and execute workflows under their identity, potentially leading to unauthorized access to connected third-party services and data exfiltration.
Affected Products
- n8n versions prior to 2.8.0
- Instances with N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true explicitly configured
Discovery Timeline
- 2026-03-25 - CVE-2026-33720 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33720
Vulnerability Analysis
This vulnerability is classified as CWE-863 (Incorrect Authorization), where the n8n application fails to properly verify ownership of the OAuth state parameter during the OAuth callback process. The flaw specifically manifests when the non-default configuration N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true is enabled.
Under normal operation, OAuth flows use a state parameter to maintain the integrity of the authorization process and prevent cross-site request forgery attacks. When the vulnerable configuration is active, n8n bypasses the critical step of verifying that the user completing the OAuth flow is the same user who initiated it. This creates an opportunity for attackers to intercept and redirect OAuth tokens to credentials they control.
Root Cause
The root cause lies in the OAuth callback handler's conditional logic that skips ownership verification when N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true is configured. This environment variable was likely introduced to support specific deployment scenarios but creates a significant security gap by disabling essential authorization checks. The state parameter, which should bind the OAuth flow to a specific user session, is not validated, allowing credential object ownership to be manipulated by attackers.
Attack Vector
The attack leverages a network-based vector where an attacker crafts a malicious OAuth flow. The attacker first creates a credential object in n8n, then initiates an OAuth authorization flow. Instead of completing the flow themselves, the attacker tricks a victim (through social engineering or phishing) into completing the OAuth authentication. Because ownership verification is skipped, the victim's OAuth tokens are stored in the attacker's credential object. The attacker can then use these stolen tokens to execute workflows with the victim's OAuth permissions, potentially accessing sensitive third-party services and data.
The vulnerability requires user interaction and affects confidentiality and integrity at both local and subsequent system levels, though availability is not impacted.
Detection Methods for CVE-2026-33720
Indicators of Compromise
- Unusual OAuth credential access patterns where credentials are accessed by users who did not create them
- Workflow executions using OAuth credentials that don't match the expected credential owner
- Multiple OAuth authorizations for the same credential from different IP addresses or user sessions
- Anomalous API calls to third-party services from credentials with recently updated OAuth tokens
Detection Strategies
- Monitor n8n audit logs for credential access by non-owner users
- Implement alerting on OAuth token updates where the authorizing user differs from the credential owner
- Review environment configurations for presence of N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true
- Deploy network monitoring to detect OAuth callback manipulation attempts
Monitoring Recommendations
- Enable detailed logging for OAuth callback endpoints in n8n
- Configure SIEM alerts for suspicious credential sharing or access patterns
- Implement user behavior analytics to detect OAuth token theft scenarios
- Regularly audit which credentials are being used across different user workflows
How to Mitigate CVE-2026-33720
Immediate Actions Required
- Upgrade n8n to version 2.8.0 or later immediately
- Review environment configuration and remove or disable N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true if not strictly required
- Audit existing OAuth credentials for signs of unauthorized access or token theft
- Restrict access to the n8n instance to fully trusted users only as an interim measure
Patch Information
The vulnerability has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to fully remediate the vulnerability. The fix restores proper ownership verification of OAuth state parameters regardless of environment configuration. For more details, refer to the GitHub Security Advisory.
Workarounds
- Avoid enabling N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true unless strictly required for your deployment
- Restrict access to the n8n instance to only fully trusted users
- Implement network-level access controls to limit who can reach OAuth callback endpoints
- Consider temporarily disabling OAuth integrations until the patch can be applied
# Remove vulnerable configuration from environment
# Check current environment variable
echo $N8N_SKIP_AUTH_ON_OAUTH_CALLBACK
# Unset the variable if present (temporary for current session)
unset N8N_SKIP_AUTH_ON_OAUTH_CALLBACK
# For persistent removal, edit your n8n configuration file or environment
# and remove or comment out the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true line
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
