Description
n8n is an open source workflow automation platform. Prior to version 2.8.0, when the `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK` environment variable is set to `true`, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an OAuth flow against a credential object the attacker controls, causing the victim's OAuth tokens to be stored in the attacker's credential. The attacker can then use those tokens to execute workflows in their name. This issue only affects instances where `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` is explicitly configured (non-default). The issue has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Avoid enabling `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` unless strictly required, and/ or restrict access to the n8n instance to fully trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Published: 2026-03-25
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized execution of workflows using stolen OAuth tokens
Action: Immediate Upgrade
AI Analysis

Impact

A misconfiguration that enables an attacker to bypass ownership verification during the OAuth callback leads to the attacker receiving OAuth tokens that belong to the victim. The attacker can then store those tokens as their own credentials and execute workflows on the victim’s instance, effectively gaining authorized control over the victim’s workflow environment. This vulnerability represents a significant compromise of integrity and authorization, classified under CWE-863.

Affected Systems

The flaw affects n8n-io n8n versions earlier than 2.8.0 when the environment variable N8N_SKIP_AUTH_ON_OAUTH_CALLBACK is set to true. It does not apply to versions 2.8.0 and later, nor to instances where the variable is not enabled.

Risk and Exploitability

The CVSS score of 6.3 indicates medium severity, while the EPSS score of less than 1 % suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker requires that the environment variable be enabled and must lure a legitimate user to complete an OAuth flow targeted at the attacker’s credential. Once the flow succeeds, the attacker can use the compromised tokens to trigger workflows on the victim’s behalf. This scenario is possible in typical web application contexts but would be mitigated by disabling the variable or restricting access to trusted administrators.

Generated by OpenCVE AI on March 27, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 2.8.0 or later
  • Remove or unset the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK environment variable
  • If upgrading is not immediately possible, restrict access to the n8n instance to fully trusted users only

Generated by OpenCVE AI on March 27, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vpgc-2f6g-7w7x n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK
History

Fri, 27 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to version 2.8.0, when the `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK` environment variable is set to `true`, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an OAuth flow against a credential object the attacker controls, causing the victim's OAuth tokens to be stored in the attacker's credential. The attacker can then use those tokens to execute workflows in their name. This issue only affects instances where `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` is explicitly configured (non-default). The issue has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Avoid enabling `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` unless strictly required, and/ or restrict access to the n8n instance to fully trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Title n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T20:07:47.761Z

Reserved: 2026-03-23T17:06:05.749Z

Link: CVE-2026-33720

cve-icon Vulnrichment

Updated: 2026-03-25T20:07:44.156Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T19:16:50.967

Modified: 2026-03-27T19:38:03.037

Link: CVE-2026-33720

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:15Z

Weaknesses