{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/n8n--2.21.0--2.21.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["n8n (\u003c 1.123.43)","n8n (\u003e= 2.21.0, \u003c 2.21.1)","n8n (\u003e= 2.0.0-rc.0, \u003c 2.20.7)"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","oauth","credential-theft"],"_cs_type":"advisory","_cs_vendors":["n8n GmbH"],"content_html":"\u003cp\u003eA cross-user authorization bypass vulnerability exists in n8n\u0026rsquo;s Dynamic Credential OAuth endpoints. Specifically, the OAuth1 and OAuth2 credential reconnect endpoints incorrectly authorized access using \u003ccode\u003ecredential:read\u003c/code\u003e instead of the necessary \u003ccode\u003ecredential:update\u003c/code\u003e permission. This flaw allows an authenticated user with only read-only access to a shared credential to initiate an OAuth reconnect flow. By doing so, the attacker can overwrite the stored token material for the credential with tokens bound to an external account under their control. This can lead to workflows relying on the compromised credential executing under the attacker\u0026rsquo;s OAuth identity. The issue affects n8n versions before 1.123.43, versions between 2.0.0-rc.0 and 2.20.7, and versions between 2.21.0 and 2.21.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an n8n instance with shared credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a shared credential to which they have read-only access.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the OAuth1 or OAuth2 credential reconnect endpoint for the target credential.\u003c/li\u003e\n\u003cli\u003eDue to the authorization bypass (CVE-2026-45732), the attacker is able to initiate an OAuth reconnect flow despite lacking update permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates with their own external OAuth provider account.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s OAuth tokens are used to overwrite the existing tokens for the shared credential.\u003c/li\u003e\n\u003cli\u003eWorkflows using the shared credential now execute under the attacker\u0026rsquo;s OAuth identity.\u003c/li\u003e\n\u003cli\u003eThe attacker can exfiltrate data to attacker-controlled external services or maintain persistent access to shared integrations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-45732) allows an attacker to overwrite OAuth tokens in shared credentials, leading to data exfiltration to attacker-controlled external services. This can result in persistent takeover of shared integrations, potentially impacting multiple users or projects that rely on the compromised credential. The affected instances are those where credentials are shared with other users or across projects, creating a significant risk of unauthorized access and data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 1.123.43, 2.20.7, 2.21.1, or later to remediate CVE-2026-45732 as advised in the advisory.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not possible, restrict credential sharing to fully trusted users as a temporary mitigation.\u003c/li\u003e\n\u003cli\u003eAudit shared credentials for unexpected OAuth token changes and revoke any tokens that may have been replaced as an additional short-term measure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:25:42Z","date_published":"2026-05-14T16:25:42Z","id":"https://feed.craftedsignal.io/briefs/2026-05-n8n-oauth-bypass/","summary":"CVE-2026-45732 describes a high-severity authorization bypass vulnerability in n8n's OAuth1 and OAuth2 credential reconnect endpoints, where insufficient permission checks allow a user with read-only access to overwrite OAuth tokens, potentially leading to data exfiltration and persistent takeover of shared integrations.","title":"n8n Cross-User Authorization Bypass in Dynamic Credential OAuth Endpoints (CVE-2026-45732)","url":"https://feed.craftedsignal.io/briefs/2026-05-n8n-oauth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — N8n (\u003e= 2.21.0, \u003c 2.21.1)","version":"https://jsonfeed.org/version/1.1"}