CVE-2026-33665: CWE-287: Improper Authentication in n8n-io n8n
n8n versions prior to 2. 4. 0 and 1. 121. 0 contain an improper authentication vulnerability when LDAP authentication is enabled. An authenticated LDAP user who can modify their own LDAP email attribute could impersonate another user, including administrators, by matching their email, resulting in permanent account takeover. This occurs because n8n automatically links LDAP identities to existing local accounts based on email attribute matching, and the linkage persists even if the LDAP email is reverted. The vulnerability requires LDAP authentication to be configured and active. It has been fixed in n8n versions 2. 4.
AI Analysis
Technical Summary
CVE-2026-33665 is an improper authentication vulnerability (CWE-287) in the n8n workflow automation platform affecting versions before 2.4.0 and 1.121.0 when LDAP authentication is enabled. The issue arises because n8n automatically links an LDAP identity to a local account if the LDAP email attribute matches the local account's email. An authenticated LDAP user who can control their LDAP email attribute can set it to match another user's email, including administrators, thereby gaining full access to that account. This linkage remains even if the LDAP email attribute is later changed back, resulting in permanent account takeover. The vulnerability requires LDAP authentication to be enabled and configured. The vendor fixed this issue in versions 2.4.0 and 1.121.0. Temporary mitigations include disabling LDAP authentication, restricting LDAP email attribute modification permissions, and auditing existing LDAP-linked accounts for unexpected associations.
Potential Impact
An authenticated LDAP user with the ability to modify their own LDAP email attribute can impersonate any local user account in n8n, including administrators, leading to full account takeover. The account linkage is persistent, meaning the attacker retains access even if the LDAP email attribute is reverted. This can result in unauthorized access to sensitive workflows and data within the n8n platform. The vulnerability requires LDAP authentication to be enabled and active, so instances not using LDAP authentication are not affected.
Mitigation Recommendations
A fix is available in n8n versions 2.4.0 and 1.121.0; users should upgrade to one of these versions or later to remediate the vulnerability. If immediate upgrading is not possible, temporary mitigations include disabling LDAP authentication until the upgrade can be performed, restricting LDAP directory permissions to prevent users from modifying their own email attributes, and auditing existing LDAP-linked accounts for unexpected or unauthorized account associations. These temporary mitigations do not fully resolve the risk and should only be used as short-term measures.
CVE-2026-33665: CWE-287: Improper Authentication in n8n-io n8n
Description
n8n versions prior to 2. 4. 0 and 1. 121. 0 contain an improper authentication vulnerability when LDAP authentication is enabled. An authenticated LDAP user who can modify their own LDAP email attribute could impersonate another user, including administrators, by matching their email, resulting in permanent account takeover. This occurs because n8n automatically links LDAP identities to existing local accounts based on email attribute matching, and the linkage persists even if the LDAP email is reverted. The vulnerability requires LDAP authentication to be configured and active. It has been fixed in n8n versions 2. 4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33665 is an improper authentication vulnerability (CWE-287) in the n8n workflow automation platform affecting versions before 2.4.0 and 1.121.0 when LDAP authentication is enabled. The issue arises because n8n automatically links an LDAP identity to a local account if the LDAP email attribute matches the local account's email. An authenticated LDAP user who can control their LDAP email attribute can set it to match another user's email, including administrators, thereby gaining full access to that account. This linkage remains even if the LDAP email attribute is later changed back, resulting in permanent account takeover. The vulnerability requires LDAP authentication to be enabled and configured. The vendor fixed this issue in versions 2.4.0 and 1.121.0. Temporary mitigations include disabling LDAP authentication, restricting LDAP email attribute modification permissions, and auditing existing LDAP-linked accounts for unexpected associations.
Potential Impact
An authenticated LDAP user with the ability to modify their own LDAP email attribute can impersonate any local user account in n8n, including administrators, leading to full account takeover. The account linkage is persistent, meaning the attacker retains access even if the LDAP email attribute is reverted. This can result in unauthorized access to sensitive workflows and data within the n8n platform. The vulnerability requires LDAP authentication to be enabled and active, so instances not using LDAP authentication are not affected.
Mitigation Recommendations
A fix is available in n8n versions 2.4.0 and 1.121.0; users should upgrade to one of these versions or later to remediate the vulnerability. If immediate upgrading is not possible, temporary mitigations include disabling LDAP authentication until the upgrade can be performed, restricting LDAP directory permissions to prevent users from modifying their own email attributes, and auditing existing LDAP-linked accounts for unexpected or unauthorized account associations. These temporary mitigations do not fully resolve the risk and should only be used as short-term measures.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T15:23:42.220Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c422f4f4197a8e3b7492f1
Added to database: 3/25/2026, 6:01:24 PM
Last enriched: 4/3/2026, 1:39:46 PM
Last updated: 5/10/2026, 7:15:27 AM
Views: 95
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.