Can you explain this vulnerability to me?

CVE-2026-33720 is an authorization bypass vulnerability in the n8n workflow automation platform that occurs when the environment variable N8N_SKIP_AUTH_ON_OAUTH_CALLBACK is set to true. In affected versions prior to 2.8.0, this setting causes the OAuth callback handler to skip verifying ownership of the OAuth state parameter.

This flaw allows an attacker to trick a victim into completing an OAuth flow linked to a credential object controlled by the attacker. As a result, the victim's OAuth tokens are stored in the attacker's credential, enabling the attacker to execute workflows impersonating the victim.

This vulnerability only affects n8n instances explicitly configured with N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true, which is not the default setting. The issue was fixed in n8n version 2.8.0.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

If exploited, this vulnerability allows an attacker to hijack a victim's OAuth tokens by tricking them into completing an OAuth flow tied to the attacker's credentials.

With these stolen tokens, the attacker can execute workflows on behalf of the victim, potentially performing unauthorized actions within the n8n platform.

This can lead to unauthorized access, data manipulation, or other malicious activities impersonating the victim user.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability occurs only if the environment variable N8N_SKIP_AUTH_ON_OAUTH_CALLBACK is explicitly set to true on the n8n instance. Detection involves verifying the configuration of the n8n environment.

To detect if your system is vulnerable, check the environment variables of the running n8n process or container for the presence and value of N8N_SKIP_AUTH_ON_OAUTH_CALLBACK.

• On a Linux system, you can run: `ps aux | grep n8n` to find the process and then inspect environment variables with `cat /proc/<pid>/environ | tr '\0' '\n' | grep N8N_SKIP_AUTH_ON_OAUTH_CALLBACK`.
• If n8n is running in a Docker container, use: `docker exec <container_id> printenv N8N_SKIP_AUTH_ON_OAUTH_CALLBACK` to check the variable.

If the variable is set to true, the instance is vulnerable unless it has been upgraded to version 2.8.0 or later.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary and recommended mitigation is to upgrade n8n to version 2.8.0 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, consider the following temporary mitigations:

• Avoid enabling the environment variable N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true unless it is strictly required.
• Restrict access to the n8n instance to fully trusted users only to reduce the risk of exploitation.

Note that these workarounds do not fully remediate the risk and should only be used as short-term measures until an upgrade can be performed.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an attacker to hijack OAuth tokens and impersonate victims in workflow executions by bypassing authorization checks when a specific environment variable is enabled.

Such unauthorized access to OAuth tokens and potential misuse of user credentials could lead to violations of data protection and privacy requirements found in standards like GDPR and HIPAA, which mandate strict controls over user authentication and authorization.

Therefore, if exploited, this vulnerability could compromise the confidentiality and integrity of sensitive data, potentially resulting in non-compliance with these regulations.

Mitigation involves upgrading to n8n version 2.8.0 or later and avoiding enabling the vulnerable configuration, which helps maintain compliance by preventing unauthorized access.

Useful 0 Not Useful 0