CVE-2026-33720: n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK

March 25, 2026

When the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK environment variable is set to true, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an OAuth flow against a credential object the attacker controls, causing the victim’s OAuth tokens to be stored in the attacker’s credential. The attacker can then use those tokens to execute workflows in their name.

This issue only affects instances where N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true is explicitly configured (non-default).

References

github.com/advisories/GHSA-vpgc-2f6g-7w7x
github.com/n8n-io/n8n
github.com/n8n-io/n8n/security/advisories/GHSA-vpgc-2f6g-7w7x
nvd.nist.gov/vuln/detail/CVE-2026-33720

Code Behaviors & Features

Detect and mitigate CVE-2026-33720 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →