Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56350

CVE-2026-56350: N8n Authentication Bypass Vulnerability

CVE-2026-56350 is an authentication bypass flaw in N8n that allows SSO users to disable SSO enforcement and create local credentials. This article covers technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-56350 Overview

CVE-2026-56350 is an authentication bypass vulnerability in n8n versions before 2.8.0. Authenticated Single Sign-On (SSO) users can disable SSO enforcement through the n8n API. After disabling enforcement, attackers create local password credentials to authenticate directly against the application. This bypasses organizational SSO policies and any multi-factor authentication (MFA) enforced by the identity provider. The flaw is categorized under [CWE-285] Improper Authorization and affects the n8n workflow automation platform maintained by n8n.io.

Critical Impact

Authenticated users can circumvent SSO-enforced MFA and identity provider controls, undermining centralized identity governance and enabling persistent local authentication paths.

Affected Products

  • n8n versions prior to 2.8.0
  • Self-hosted n8n deployments running on Node.js
  • n8n instances configured to enforce SSO authentication

Discovery Timeline

  • 2026-06-30 - CVE-2026-56350 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-56350

Vulnerability Analysis

The vulnerability resides in n8n's authorization logic governing SSO enforcement settings. Endpoints that toggle or modify SSO enforcement do not restrict access to appropriately privileged administrators. Any authenticated SSO user can issue API requests to disable the enforcement flag. Once disabled, the application permits local password-based authentication for users that previously could only sign in through the identity provider.

The attacker then creates local credentials for their own account or, depending on further privilege state, for other accounts. These local credentials bypass identity-provider-enforced controls including MFA, conditional access policies, and session lifetime restrictions. The result is a durable authentication backdoor within an environment that operators believe is protected by centralized SSO.

Root Cause

The root cause is improper authorization ([CWE-285]) on administrative API routes controlling SSO enforcement. Standard authenticated sessions are treated as sufficient authority to modify tenant-wide authentication policy. There is no additional role check, step-up authentication, or separation between workflow users and identity administrators for these operations.

Attack Vector

Exploitation requires network access to the n8n API and a valid authenticated SSO session with low privileges. The attacker sends an authenticated API request to disable SSO enforcement, then invokes the local credential creation endpoint. Subsequent logins occur through the local authentication path, avoiding the identity provider entirely. The vector is network-based and requires low privileges, with no user interaction. Refer to the VulnCheck Advisory and the GitHub Security Advisory GHSA-vjf3-2gpj-233v for endpoint-level detail.

Detection Methods for CVE-2026-56350

Indicators of Compromise

  • API requests that modify SSO enforcement settings originating from non-administrative accounts.
  • Creation of local password credentials for users whose accounts were previously provisioned exclusively through SSO.
  • Successful password-based logins for identities that historically authenticated only through the identity provider.
  • Sudden gaps between identity provider sign-in logs and n8n application login events for the same user.

Detection Strategies

  • Audit n8n application logs for changes to SSO configuration and correlate against the account role that initiated the change.
  • Compare n8n authentication events against identity provider logs to identify sessions that bypassed the IdP.
  • Alert on any invocation of local credential provisioning endpoints in environments configured for SSO-only access.

Monitoring Recommendations

  • Forward n8n audit and authentication logs to a centralized SIEM for continuous correlation with IdP telemetry.
  • Baseline the population of accounts that possess local password credentials and alert on additions.
  • Monitor administrative API endpoints for unauthorized configuration mutations, particularly authentication policy toggles.

How to Mitigate CVE-2026-56350

Immediate Actions Required

  • Upgrade all n8n instances to version 2.8.0 or later without delay.
  • Review the local user database and remove password credentials created for SSO-provisioned accounts.
  • Verify that SSO enforcement is enabled after upgrade and audit the change history for the setting.
  • Rotate credentials and invalidate active sessions for any account suspected of exploiting the flaw.

Patch Information

The vendor has released n8n 2.8.0 addressing the improper authorization on the SSO enforcement API. Details are available in the n8n GitHub Security Advisory GHSA-vjf3-2gpj-233v. Operators running self-hosted deployments should apply the update through their standard container or Node.js upgrade procedure.

Workarounds

  • Restrict network access to the n8n API to trusted administrative networks until the patch is applied.
  • Limit account creation and role assignment so that only vetted administrators hold authenticated sessions on affected versions.
  • Enforce compensating detection alerts on any modification of SSO enforcement settings while the upgrade is pending.
bash
# Verify installed n8n version and upgrade to the fixed release
n8n --version
npm install -g n8n@2.8.0
# For Docker deployments
docker pull n8nio/n8n:2.8.0
docker stop n8n && docker rm n8n
docker run -d --name n8n -p 5678:5678 n8nio/n8n:2.8.0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.