Impact
n8n is an open-source workflow automation platform. Versions prior to 1.123.43, 2.22.1, and 2.20.7 allow an authenticated user that has read‑only access to a shared OAuth credential to invoke the OAuth1 or OAuth2 credential reconnect endpoint. The endpoint checks only credential:read permissions instead of the required credential:update permission. This flaw, classified as CWE‑639, lets the attacker replace the stored token material for the credential with tokens belonging to an account they control. Workflows that reference the compromised credential will then execute under the attacker's identity, making data exfiltration to attacker‑controlled services possible and providing a persistent foothold in shared integrations.
Affected Systems
The affected product is n8n, an open source workflow automation platform provided by n8n‑io. Vulnerable versions include all releases prior to 1.123.43, 2.22.1, and 2.20.7. Users running these earlier releases should consider the impact if they share OAuth credentials with other users.
Risk and Exploitability
The CVSS score of 8.3 indicates high severity. No EPSS score is available and the vulnerability is not listed in CISA KEV. Attackers only need to be authenticated with read-only access to a shared credential; no additional privileges or external dependencies are required. Because the flaw permits overwriting token material with an attacker‑controlled token, any workflow using the compromised credential will operate under the attacker’s privileges, enabling data exfiltration and persistence. The high impact combined with the low barrier to exploitation translates to a significant risk for organizations using shared OAuth credentials.
OpenCVE Enrichment
Github GHSA