CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment
Vulnerability ID: CVE-2026-56350
CVSS Score: 6.3
Published: 2026-06-30
A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).
TL;DR
Authenticated SSO users can bypass SSO enforcement and log in with email/password credentials by exploiting a mass assignment flaw in n8n's settings endpoint.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-285, CWE-915
- Attack Vector: Network
- CVSS v3.1 Score: 6.3 (Medium)
- CVSS v4.0 Score: 6.0 (Medium)
- Exploit Status: PoC / Simulated
- CISA KEV Status: Not Listed
- Remediation Status: Patched in v2.8.0
Affected Systems
- n8n (npm package)
-
n8n: < 2.8.0 (Fixed in:
2.8.0)
Code Analysis
Commit: a70b2ea
Create strict self-service DTO to prevent privilege escalation / SSO bypass via MeController settings update
Mitigation Strategies
- Upgrade n8n deployment to version 2.8.0 or newer to enforce strict schema separation.
- Regularly audit the underlying database for anomalous SSO bypass configuration flags on standard user accounts.
- Implement perimeter API rules using a Web Application Firewall (WAF) to detect or block unauthorized settings modifications.
Remediation Steps:
- Identify all current n8n container or platform instances in production.
- Modify deployment configuration files (such as docker-compose.yml) to target tag 2.8.0 or higher.
- Perform a rolling deployment to update the active application bin.
- Run the diagnostic database query to verify if any accounts contain manual settings bypass flags: SELECT id, email, settings FROM "user" WHERE settings::jsonb ->> 'allowSSOManualLogin' = 'true';
- If matching records are found, reset the database field and review session logs for unauthorized activity on those accounts.
References
- GitHub Security Advisory GHSA-vjf3-2gpj-233v
- VulnCheck Security Advisory
- Fix Commit
- n8n Release v2.8.0
Read the full report for CVE-2026-56350 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)