The vulnerability CVE-2026-33665 in n8n, an open-source workflow automation platform, arises from improper authentication handling when LDAP authentication is enabled. In affected versions prior to 2.4.0 and 1.121.0, n8n automatically links an LDAP identity to an existing local account if the LDAP email attribute matches the local account's email. An attacker with authenticated LDAP access can exploit this by changing their LDAP email attribute to impersonate another user’s email, including that of administrators. Upon login, n8n links the attacker’s LDAP identity to the victim’s local account, granting full access. This linkage persists even if the LDAP email attribute is reverted, resulting in a permanent account takeover. The vulnerability requires LDAP authentication to be configured and active, which is not the default setting. The issue stems from insufficient verification of the LDAP email attribute's integrity and the automatic account linkage logic. The vulnerability has a CVSS 4.0 score of 8.8, reflecting high impact on confidentiality and integrity with low attack complexity and no user interaction required beyond authentication. The fix involves updating to n8n versions 2.4.0 or 1.121.0 or later, where the account linkage logic has been corrected to prevent unauthorized account takeover. Temporary mitigations include disabling LDAP authentication, restricting LDAP directory permissions to prevent users from modifying their own email attributes, and auditing existing LDAP-linked accounts for suspicious associations. However, these mitigations do not fully eliminate the risk and should be considered short-term measures until patching is possible.

This vulnerability allows an authenticated LDAP user to escalate privileges by taking over any local account, including administrators, leading to full compromise of the n8n instance. The attacker gains unauthorized access to workflows, automation processes, and potentially sensitive data managed within n8n. This can result in data breaches, unauthorized modifications, disruption of automated business processes, and lateral movement within the network. Since the account linkage is permanent, even reverting LDAP attributes does not restore security, increasing the risk of persistent compromise. Organizations relying on n8n for critical automation workflows face significant confidentiality and integrity risks. The ease of exploitation combined with the high privileges that can be gained makes this a critical threat to organizations using LDAP authentication with vulnerable n8n versions.

1. Upgrade n8n to version 2.4.0, 1.121.0, or later immediately to apply the official fix. 2. If upgrading is not feasible immediately, disable LDAP authentication to prevent exploitation. 3. Restrict LDAP directory permissions to prevent users from modifying their own email attributes, thereby blocking the primary attack vector. 4. Conduct a thorough audit of all LDAP-linked accounts in n8n to identify and remediate any unauthorized account linkages or suspicious activity. 5. Implement monitoring and alerting on LDAP attribute changes and n8n login events to detect potential exploitation attempts. 6. Review and harden n8n’s authentication and user management policies to ensure no other automatic linkage mechanisms can be abused. 7. Educate administrators and users about the risk and signs of compromise related to LDAP authentication misuse. These steps combined provide a layered defense until the patch can be applied.