SB20260423152 - Multiple vulnerabilities in n8n

Description

This security bulletin contains information about 4 vulnerabilities.

1) Improper privilege management (CVE-ID: N/A)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass single sign-on enforcement and create a local password for direct authentication.

The vulnerability exists due to improper privilege management in the n8n API when handling requests to disable SSO enforcement for the user's own account. A remote user can disable SSO enforcement and create local credentials to bypass single sign-on enforcement and create a local password for direct authentication.

This can bypass the organization's centralized identity management and identity-provider-enforced multi-factor authentication.

2) Improper access control (CVE-ID: CVE-2026-33722)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in credential saving when referencing an external secret by name in a credential. A remote user can save a credential that references a target secret to disclose sensitive information.

The instance must have an external secrets vault configured, and the secret name must be known or guessable.

3) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script in a victim's browser session.

The vulnerability exists due to improper neutralization of script-related input in the credential management flow when handling a crafted OAuth2 credential authorization URL. A remote user can create and share a malicious credential containing a javascript: URL to execute arbitrary script in a victim's browser session.

User interaction is required when the victim opens the credential and clicks the OAuth authorization button.

4) Incorrect authorization (CVE-ID: CVE-2026-33720)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to access and use a victim's OAuth tokens.

The vulnerability exists due to incorrect authorization in the OAuth callback handler when processing OAuth callback requests with N8N_SKIP_AUTH_ON_OAUTH_CALLBACK set to true. A remote attacker can trick a victim into completing an OAuth flow against an attacker-controlled credential object to access and use a victim's OAuth tokens.

Only instances with N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true explicitly configured are vulnerable.

Remediation

Install update from vendor's website.

References

• https://github.com/n8n-io/n8n/security/advisories/GHSA-vjf3-2gpj-233v
• https://github.com/advisories/GHSA-vjf3-2gpj-233v
• https://github.com/n8n-io/n8n/security/advisories/GHSA-fxcw-h3qj-8m8p
• https://github.com/advisories/GHSA-fxcw-h3qj-8m8p
• https://github.com/n8n-io/n8n/security/advisories/GHSA-364x-8g5j-x2pr
• https://github.com/advisories/GHSA-364x-8g5j-x2pr
• https://github.com/n8n-io/n8n/security/advisories/GHSA-vpgc-2f6g-7w7x
• https://github.com/advisories/GHSA-vpgc-2f6g-7w7x