Auth bypass in N8n-io N8n

CVE-2026-33720

n8n is an open source workflow automation platform. Prior to version 2.8.0, when the `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK` environment variable is set to `true`, the OAuth callback handler skips ownership verification of the OAuth state parame…

Vulnerability class: Broken Access Control

EPSS: 0.000 (2.9th percentile) — read the EPSS interpretation.

Affected products

N8n-io N8n — versions < 2.8.0

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-vpgc-2f6g-7w7x (x_refsource_CONFIRM)