Main Vulnerability Database Vulnerabilities #VU128728

Improper Authentication in n8n - CVE-2026-33665

Published: April 30, 2026

Vulnerability identifier: #VU128728

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-33665

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: n8n

Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote user to gain full access to another user's account.

The vulnerability exists due to improper authentication in LDAP account linking when matching an LDAP identity to an existing local account by email during login. A remote user can set their own LDAP email attribute to match another user's email and log in to gain full access to another user's account.

LDAP authentication must be configured and active, and the account linkage persists even if the LDAP email attribute is later reverted.

How to mitigate CVE-2026-33665

Install security update from vendor's website.

Sources

https://github.com/n8n-io/n8n/security/advisories/GHSA-c545-x2rh-82fc

Improper Authentication in n8n - CVE-2026-33665

Detailed vulnerability description

How to mitigate CVE-2026-33665

Sources

Please verify you're human