CVE-2026-45732

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential with tokens bound to an external account they control. Workflows relying on the affected credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of shared integrations. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/n8n-io/n8n/security/advisories/GHSA-6h4j-wcr9-2vg7	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:n8n:n8n::::::node.js::*
	cpe:2.3:a:n8n:n8n::::::node.js::*
	cpe:2.3:a:n8n:n8n::::::node.js::*

History

24 Jun 2026, 13:56

Type	Values Removed	Values Added
References	~~() https://github.com/n8n-io/n8n/security/advisories/GHSA-6h4j-wcr9-2vg7 -~~	() https://github.com/n8n-io/n8n/security/advisories/GHSA-6h4j-wcr9-2vg7 - Mitigation, Vendor Advisory
First Time		N8n N8n n8n
CPE		cpe:2.3:a:n8n:n8n::::::node.js::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.1

23 Jun 2026, 17:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-23 17:17

Updated : 2026-06-24 13:56

NVD link : CVE-2026-45732

Mitre link : CVE-2026-45732

CVE.ORG link : CVE-2026-45732

JSON object : View

Products Affected

n8n

n8n

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-45732", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "n8n-io", "product": "n8n", "versions": [{"status": "affected", "version": "< 1.123.43"}, {"status": "affected", "version": ">= 2.0.0-rc.0, < 2.20.7"}, {"status": "affected", "version": ">= 2.21.0, < 2.21.1"}]}]}], "published": "2026-06-23T17:17:00.700", "references": [{"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-6h4j-wcr9-2vg7", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential with tokens bound to an external account they control. Workflows relying on the affected credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of shared integrations. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7."}], "lastModified": "2026-06-24T13:56:52.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "9BE8A466-5048-4E10-AD9C-0C71EDF89B26", "versionEndExcluding": "1.123.43"}, {"criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D93F4962-6B89-45B6-9697-DC611A6ABA5D", "versionEndExcluding": "2.20.7", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "080C6B5D-94B3-466D-9B60-D8B862E32A54", "versionEndExcluding": "2.22.1", "versionStartIncluding": "2.21.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}