n8n is an open source workflow automation platform. In versions prior to 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorise access using the credential:read permission instead of the required credential:update permission. This CWE-639 flaw allows an authenticated user with read‑only access to a shared credential to trigger an OAuth reconnect flow and overwrite the stored token material with tokens bound to an account the attacker controls. Workflows that rely on the affected credential will then execute under the attacker‑controlled OAuth identity, enabling data exfiltration to external services and persistent takeover of shared integrations. The vulnerability is fixed in the listed versions.

The affected product is n8n, an open source workflow automation platform provided by n8n-io. Vulnerable versions include all releases prior to 1.123.43, 2.22.1, and 2.20.7. Users running these earlier releases should consider the impact if they share OAuth credentials with other users.

The CVSS score of 8.3 indicates high severity. No EPSS score is available and the vulnerability is not listed in CISA KEV. Attackers only need to be authenticated with read-only access to a shared credential; no additional privileges or external dependencies are required. Because the flaw permits overwriting token material with an attacker‑controlled token, any workflow using the compromised credential will operate under the attacker’s privileges, enabling data exfiltration and persistence. The high impact combined with the low barrier to exploitation translates to a significant risk for organizations using shared OAuth credentials.