CVE-2026-33665
LDAP Email Attribute Manipulation Enables n8n Account Takeover
Publication date: 2026-03-25
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | From 2.0.0 (inc) to 2.4.0 (exc) |
| n8n | n8n | to 1.121.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to gain unauthorized access to user accounts, including administrator accounts, by exploiting the automatic LDAP email-based account linking mechanism. Such unauthorized access and potential data modification can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
Specifically, the permanent account takeover resulting from this vulnerability compromises confidentiality and integrity of data, which are core principles in compliance frameworks. Organizations using affected versions of n8n with LDAP authentication enabled may face increased risk of non-compliance due to insufficient authentication controls and potential data breaches.
To mitigate these compliance risks, it is critical to upgrade to fixed versions (2.4.0 or 1.121.0 and later) or apply temporary mitigations such as disabling LDAP authentication, restricting LDAP directory permissions, and auditing account linkages, although these do not fully eliminate the risk.
Can you explain this vulnerability to me?
CVE-2026-33665 is a high-severity vulnerability in the n8n workflow automation platform versions prior to 2.4.0 and 1.121.0 when LDAP authentication is enabled.
The vulnerability occurs because n8n automatically links an LDAP identity to an existing local account if the LDAP email attribute matches the local account's email.
An authenticated LDAP user who can modify their own LDAP email attribute can set it to another user's email address, including an administrator's, and gain full access to that account upon login.
This linkage persists even if the LDAP email attribute is later reverted, resulting in a permanent account takeover.
The issue arises from improper authentication where the system insufficiently verifies the authenticity of the LDAP email attribute during account linking.
How can this vulnerability impact me? :
This vulnerability allows an attacker with low-level LDAP privileges to escalate their privileges by taking over other user accounts, including administrator accounts.
Once the attacker sets their LDAP email attribute to match another user's email, they gain full access to that user's account in n8n.
The account takeover is permanent because the linkage between the LDAP identity and the local account remains even if the LDAP email attribute is reverted.
This can lead to unauthorized access, modification of system data, and compromise of confidentiality and integrity within the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by auditing existing LDAP-linked accounts for unexpected or suspicious account associations, especially cases where an LDAP identity is linked to a local account with a matching email attribute that may have been manipulated.
Since the issue involves LDAP email attribute manipulation, administrators should review LDAP directory permissions to identify if users have the ability to modify their own email attributes.
Specific commands depend on your LDAP and system environment, but general approaches include:
- Query LDAP directory to check email attributes for users and verify if any have been changed recently or match privileged accounts.
- Use LDAP search commands such as `ldapsearch` to list user email attributes and compare them against local n8n accounts.
- Audit n8n application logs for login events where LDAP authentication linked to local accounts, looking for unusual or unexpected account linkages.
- Example command to search LDAP emails (adjust base DN and filter as needed): `ldapsearch -x -b "dc=example,dc=com" "(mail=*)" mail`
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading n8n to version 2.4.0, 1.121.0, or later where the vulnerability is fixed.
If upgrading is not immediately possible, consider the following temporary mitigations:
- Disable LDAP authentication until the instance can be upgraded.
- Restrict LDAP directory permissions to prevent users from modifying their own email attributes.
- Audit existing LDAP-linked accounts for unexpected or suspicious account associations.
Note that these workarounds do not fully remediate the risk and should only be used as short-term measures.