CVE-2026-33720: OAuth Callback Authorization Bypass in n8n via State Ownership Verification Failure

The n8n workflow automation platform exposes an OAuth callback endpoint to facilitate external service integrations. Users configure credentials for third-party services, and n8n manages the OAuth 2.0 authorization code flow to obtain access and refresh tokens.

CVE-2026-33720 identifies a critical authorization failure within this callback handler in versions prior to 2.8.0. The vulnerability stems from the improper evaluation of the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK environment variable.

When this vulnerability is triggered, the platform bypasses ownership verification of the OAuth state parameter. This failure allows an attacker to conduct a Cross-Site Request Forgery (CSRF) style attack against the OAuth flow, leading to the assignment of a victim's tokens to an attacker-controlled credential object.

The root cause of CVE-2026-33720 is a logic error in the boolean evaluation of an environment variable intended for testing purposes. The application introduces a configuration flag, N8N_SKIP_AUTH_ON_OAUTH_CALLBACK, to bypass authentication checks during end-to-end testing scenarios.

In vulnerable versions, the application evaluates this flag using a loose inequality check against the string literal 'true'. If the environment variable is undefined, or set to any value other than 'true', the inequality expression evaluates to true. This effectively reverses the intended logic, creating a fail-open condition.

Due to this flipped logic, the application skips the critical step of verifying the ownership of the OAuth state parameter during the callback phase. The state parameter is cryptographically tied to the user session that initiated the OAuth request, preventing cross-user token assignment. Bypassing this check removes the primary defense against CSRF in the OAuth 2.0 flow.

The vulnerability resides in the packages/cli/src/controllers/oauth/abstract-oauth.controller.ts file. The core issue is the assignment of the skipAuthOnOAuthCallback constant.

The vulnerable implementation executes process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK !== 'true'. When the environment variable is entirely unset (which is the default in production environments), undefined !== 'true' evaluates to true. This instructs the controller to skip authentication checks by default.

// Vulnerable Implementation
export const skipAuthOnOAuthCallback = process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK !== 'true';

The patched implementation, introduced in PR #16944, abstracts the evaluation into a dedicated function. It correctly handles undefined values using the nullish coalescing operator (??) to enforce a safe default of 'false'. The function then uses strict equality (===) to verify the flag is explicitly enabled.

// Patched Implementation
export function shouldSkipAuthOnOAuthCallback() {
    const value = process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK?.toLowerCase() ?? 'false';
    return value === 'true';
}
export const skipAuthOnOAuthCallback = shouldSkipAuthOnOAuthCallback();

Exploitation requires the attacker to have an active account on a multi-user n8n instance. The attacker initiates the attack by creating a new credential object for a target service, such as Google Drive or Salesforce.

During the initial OAuth connection phase, n8n generates a unique state parameter and binds it to the attacker's credential object. The attacker intercepts the authorization URL provided by n8n, which contains this specific state value, rather than completing the flow themselves.

The attacker then delivers this intercepted URL to a targeted victim who is also authenticated to the same n8n instance. When the victim clicks the link, they authorize the application with the third-party provider. The provider redirects the victim's browser back to n8n's callback endpoint, appending the authorization code and the attacker's state parameter.

Because the vulnerability disables state ownership verification, n8n accepts the callback payload. The system queries its database for the credential object associated with the provided state parameter, finds the attacker's object, and stores the newly minted access tokens there.

The successful exploitation of CVE-2026-33720 results in complete compromise of the victim's integrated third-party accounts. The attacker gains valid access and refresh tokens for any service the victim authorizes during the exploited flow.

These tokens are stored directly within the attacker's n8n environment. The attacker can subsequently build automated workflows utilizing these credentials to exfiltrate data, modify records, or pivot into the victim's SaaS environments. This access persists until the tokens expire or the victim explicitly revokes the OAuth grant at the third-party provider.

The vulnerability carries a CVSS 4.0 score of 6.3 (Medium). The scoring reflects the requirement for user interaction (the victim must click the crafted link) and the specific prerequisite configuration, despite the severe confidentiality and integrity impact on the resulting third-party integration.

The primary remediation for CVE-2026-33720 is upgrading the n8n application to version 2.8.0 or later. This release contains the logic correction in the OAuth controller that enforces state parameter verification by default.

Administrators should audit their deployment environments to ensure the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK environment variable is either unset or explicitly set to false. This variable is designed exclusively for automated testing and has no valid use case in a production environment.

Organizations utilizing multi-tenant n8n deployments should restrict access to trusted personnel. Enforcing strict network segmentation and limiting user provisioning minimizes the attack surface for internal cross-tenant exploitation.