CVE-2026-33720: OAuth Callback Authorization Bypass in n8n via State Ownership Verification Failure
Vulnerability ID: CVE-2026-33720
CVSS Score: 6.3
Published: 2026-03-25
n8n versions prior to 2.8.0 suffer from an Incorrect Authorization (CWE-863) vulnerability due to flawed evaluation of the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK environment variable. This logic error causes the application to bypass ownership verification of the OAuth state parameter, enabling attackers to hijack OAuth tokens from other users on a multi-tenant instance.
TL;DR
A logic flaw in n8n's OAuth callback handler allows attackers to bypass state parameter verification, leading to cross-user OAuth token theft on shared instances. Upgrading to version 2.8.0 patches the vulnerability.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-863
- Attack Vector: Network
- CVSS Score: 6.3 (Medium)
- Impact: OAuth Token Hijacking
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
- Patch Status: Fixed in 2.8.0
Affected Systems
- n8n Workflow Automation Platform
-
n8n: < 2.8.0 (Fixed in:
2.8.0)
Mitigation Strategies
- Upgrade n8n to version 2.8.0 or later.
- Verify N8N_SKIP_AUTH_ON_OAUTH_CALLBACK is not set to true in production.
- Restrict multi-user access to trusted personnel.
Remediation Steps:
- Identify running n8n instances and check their current version.
- Audit environment variables in the deployment configuration (Docker, Kubernetes, etc.) for N8N_SKIP_AUTH_ON_OAUTH_CALLBACK.
- Deploy version 2.8.0 using the appropriate container registry or package manager.
- Verify successful deployment and monitor OAuth connection logs for anomalies.
References
Read the full report for CVE-2026-33720 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)