n8n, OAuth Credential Reconnect Authorization Bypass, CVE-2026-45732 (High)

Listen to this Post

The vulnerability exists because the OAuth1 and OAuth2 credential reconnect endpoints incorrectly authorize access. They check for the `credential:read` permission instead of the required `credential:update` permission. An authenticated user with only read-only access to a shared credential can initiate an OAuth reconnect flow. During this flow, the user can overwrite the stored token material for that credential with tokens bound to an external account they control. Once the token material is replaced, any workflows relying on the affected credential will execute under the attacker’s OAuth identity. This allows the attacker to exfiltrate data to external services they control and achieve persistent takeover of shared integrations. The issue only affects instances where credentials are shared with other users or across projects. The flaw is due to improper access control in the OAuth credential reconnect endpoints. The vulnerability can be exploited remotely without user interaction, requiring low privileges. The CVSS 3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N. The issue is fixed in n8n versions 1.123.43, 2.20.7, and 2.21.1.

DailyCVE Form

Platform: n8n
Version: <2.20.7 (or <1.123.43, <2.21.1)
Vulnerability: Authorization Bypass
Severity: High
date: 2026-05-13

Prediction: Patch is available

What Undercode Say:

Check current n8n version
n8n --version
Audit shared credentials for unexpected OAuth token changes
grep -r "credential:read" /path/to/n8n/config
Simulate the attack with a Python script
import requests
url = "http://target-n8n.com/api/v1/credentials/123/reconnect"
headers = {"Authorization": "Bearer <read-only-token>"}
data = {"oauth_token": "attacker_controlled_token"}
response = requests.post(url, headers=headers, json=data)
print(response.status_code)

Exploit:

1. Identify a shared credential with read-only access.

  1. Initiate an OAuth reconnect flow to the credential’s reconnect endpoint.
  2. Overwrite the stored token material with tokens bound to an attacker-controlled external account.
  3. Workflows using the compromised credential will now execute under the attacker’s identity.

Protection from this CVE

Upgrade to n8n versions 1.123.43, 2.20.7, or 2.21.1 or later. If upgrading is not immediately possible, restrict credential sharing to fully trusted users only. Additionally, audit shared credentials for unexpected OAuth token changes and revoke any tokens that may have been replaced.

Impact

An authenticated user with read-only access to a shared credential can take over that credential. This leads to persistent takeover of shared integrations and data exfiltration to attacker-controlled external services. The integrity of the system is highly impacted, while confidentiality and availability are not directly affected.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top