Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45732

CVE-2026-45732: N8n Workflow Automation Auth Bypass Flaw

CVE-2026-45732 is an authentication bypass flaw in N8n workflow automation that allows attackers to overwrite OAuth credentials and hijack shared integrations. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-45732 Overview

CVE-2026-45732 is a broken access control vulnerability in n8n, an open source workflow automation platform. The flaw affects the OAuth1 and OAuth2 credential reconnect endpoints, which incorrectly authorized access using the credential:read scope instead of credential:update. An authenticated user with read-only access to a shared credential can initiate an OAuth reconnect flow and overwrite the stored token material with tokens bound to an external account they control. Workflows that rely on the affected credential then execute under the attacker's OAuth identity. The issue is tracked as [CWE-639] and is fixed in versions 1.123.43, 2.22.1, and 2.20.7.

Critical Impact

Attackers with read-only credential access can hijack shared OAuth integrations, redirect workflow execution to attacker-controlled accounts, and exfiltrate data from connected external services.

Affected Products

  • n8n versions prior to 1.123.43
  • n8n versions prior to 2.22.1
  • n8n versions prior to 2.20.7

Discovery Timeline

  • 2026-06-23 - CVE-2026-45732 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-45732

Vulnerability Analysis

The vulnerability resides in the OAuth1 and OAuth2 credential reconnect endpoints within n8n. These endpoints permit a user to refresh or re-authorize the OAuth tokens associated with a stored credential. The authorization check on these endpoints required only the credential:read permission rather than credential:update. Any authenticated user who has been granted read-only access to a shared credential could therefore trigger a reconnect operation. During that flow, the server replaces the stored access and refresh tokens with values returned from the OAuth provider. Because the attacker controls the OAuth callback by initiating the flow with their own external account, the credential record ends up bound to the attacker's identity at the upstream service.

Root Cause

The root cause is incorrect authorization scope on a state-changing operation, classified under [CWE-639] Authorization Bypass Through User-Controlled Key. The reconnect endpoints treat token replacement as a read-equivalent action when it is in fact a mutation of credential material. n8n shares credentials across users and workflows, so any sharing grant that intended read-only delegation silently conferred the ability to overwrite tokens.

Attack Vector

An authenticated low-privileged user with read access to a shared OAuth credential issues a request to the OAuth reconnect endpoint for that credential. The server initiates the OAuth handshake and accepts tokens that the attacker authorized against their own account on the upstream provider. The stored credential record is updated in place. Subsequent workflow runs that reference the credential authenticate to the third-party service as the attacker. The attacker can then receive data sent by workflows, redirect actions to attacker-controlled resources, or maintain persistent access to the shared integration. See the GitHub Security Advisory GHSA-6h4j-wcr9-2vg7 for vendor technical details.

Detection Methods for CVE-2026-45732

Indicators of Compromise

  • Unexpected calls to OAuth reconnect endpoints from accounts that only hold read-only credential shares.
  • Changes to OAuth token metadata, expiration timestamps, or associated upstream account identifiers on shared credentials.
  • Workflow executions sending data to external endpoints or accounts that differ from the original credential owner's identity.
  • Authentication events at upstream OAuth providers originating from unfamiliar user accounts shortly before n8n credential updates.

Detection Strategies

  • Audit n8n application logs for oauth1-credential/callback and oauth2-credential/callback activity correlated with users who lack credential update permissions.
  • Compare upstream OAuth provider audit logs against expected credential owners to identify reconnect flows initiated by unauthorized identities.
  • Review credential modification history in the n8n database for token updates that are not preceded by an authorized administrative action.

Monitoring Recommendations

  • Forward n8n API access logs and credential change events to a centralized logging platform for continuous review.
  • Alert on workflow output destinations changing between executions, which may indicate an OAuth identity swap.
  • Track the ratio of credential:read users invoking write-equivalent endpoints to surface authorization anomalies.

How to Mitigate CVE-2026-45732

Immediate Actions Required

  • Upgrade n8n to version 1.123.43, 2.22.1, or 2.20.7 depending on your release branch.
  • Rotate all OAuth1 and OAuth2 credentials stored in n8n that were shared with non-owner users prior to patching.
  • Review user-to-credential sharing assignments and revoke read access that is no longer required.
  • Inspect recent workflow executions for signs of data exfiltration or unauthorized API calls.

Patch Information

The maintainers fixed the issue in n8n 1.123.43, 2.22.1, and 2.20.7 by requiring the credential:update permission on OAuth reconnect endpoints. Patch details and the upstream commit references are available in the n8n GitHub Security Advisory.

Workarounds

  • Restrict credential sharing to trusted users until the upgrade is applied.
  • Disable or remove shared OAuth credentials that are not actively required by workflows.
  • Place the n8n management interface behind network controls that limit access to administrators only.
bash
# Upgrade n8n via npm to a fixed release
npm install -g n8n@1.123.43

# Or pull the patched Docker image
docker pull n8nio/n8n:1.123.43
docker stop n8n && docker rm n8n
docker run -d --name n8n -p 5678:5678 n8nio/n8n:1.123.43

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.