Description
n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential with tokens bound to an external account they control. Workflows relying on the affected credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of shared integrations. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.
Published: 2026-06-23
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

n8n is an open-source workflow automation platform. Versions prior to 1.123.43, 2.22.1, and 2.20.7 allow an authenticated user that has read‑only access to a shared OAuth credential to invoke the OAuth1 or OAuth2 credential reconnect endpoint. The endpoint checks only credential:read permissions instead of the required credential:update permission. This flaw, classified as CWE‑639, lets the attacker replace the stored token material for the credential with tokens belonging to an account they control. Workflows that reference the compromised credential will then execute under the attacker's identity, making data exfiltration to attacker‑controlled services possible and providing a persistent foothold in shared integrations.

Affected Systems

The affected product is n8n, an open source workflow automation platform provided by n8n‑io. Vulnerable versions include all releases prior to 1.123.43, 2.22.1, and 2.20.7. Users running these earlier releases should consider the impact if they share OAuth credentials with other users.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity. No EPSS score is available and the vulnerability is not listed in CISA KEV. Attackers only need to be authenticated with read-only access to a shared credential; no additional privileges or external dependencies are required. Because the flaw permits overwriting token material with an attacker‑controlled token, any workflow using the compromised credential will operate under the attacker’s privileges, enabling data exfiltration and persistence. The high impact combined with the low barrier to exploitation translates to a significant risk for organizations using shared OAuth credentials.

Generated by OpenCVE AI on June 24, 2026 at 11:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 1.123.43, 2.22.1, or 2.20.7 where the credential update permission is correctly enforced.
  • Revoke unnecessary read‑only sharing of OAuth credentials to limit the pool of potential attackers.
  • Audit integration logs for unexpected credential updates or credential material changes that may indicate unauthorized activity.

Generated by OpenCVE AI on June 24, 2026 at 11:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6h4j-wcr9-2vg7 n8n Has a Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints
History

Fri, 26 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential with tokens bound to an external account they control. Workflows relying on the affected credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of shared integrations. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.
Title n8n: Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T19:31:18.368Z

Reserved: 2026-05-13T05:51:48.667Z

Link: CVE-2026-45732

cve-icon Vulnrichment

Updated: 2026-06-26T19:31:14.427Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key