DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-56350: CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

Vulnerability ID: CVE-2026-56350
CVSS Score: 6.3
Published: 2026-06-30

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

TL;DR

Authenticated SSO users can bypass SSO enforcement and log in with email/password credentials by exploiting a mass assignment flaw in n8n's settings endpoint.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-285, CWE-915
  • Attack Vector: Network
  • CVSS v3.1 Score: 6.3 (Medium)
  • CVSS v4.0 Score: 6.0 (Medium)
  • Exploit Status: PoC / Simulated
  • CISA KEV Status: Not Listed
  • Remediation Status: Patched in v2.8.0

Affected Systems

  • n8n (npm package)
  • n8n: < 2.8.0 (Fixed in: 2.8.0)

Code Analysis

Commit: a70b2ea

Create strict self-service DTO to prevent privilege escalation / SSO bypass via MeController settings update

Mitigation Strategies

  • Upgrade n8n deployment to version 2.8.0 or newer to enforce strict schema separation.
  • Regularly audit the underlying database for anomalous SSO bypass configuration flags on standard user accounts.
  • Implement perimeter API rules using a Web Application Firewall (WAF) to detect or block unauthorized settings modifications.

Remediation Steps:

  1. Identify all current n8n container or platform instances in production.
  2. Modify deployment configuration files (such as docker-compose.yml) to target tag 2.8.0 or higher.
  3. Perform a rolling deployment to update the active application bin.
  4. Run the diagnostic database query to verify if any accounts contain manual settings bypass flags: SELECT id, email, settings FROM "user" WHERE settings::jsonb ->> 'allowSSOManualLogin' = 'true';
  5. If matching records are found, reset the database field and review session logs for unauthorized activity on those accounts.

References


Read the full report for CVE-2026-56350 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)