The vulnerability identified as CVE-2026-33720 affects the open-source workflow automation platform n8n in versions prior to 2.8.0. The root cause is an incorrect authorization check (CWE-863) in the OAuth callback handler when the environment variable N8N_SKIP_AUTH_ON_OAUTH_CALLBACK is set to true. This setting causes the system to skip verification of the ownership of the OAuth state parameter during the OAuth flow. An attacker can exploit this by tricking a victim into completing an OAuth authorization flow that associates the victim's OAuth tokens with the attacker's credential object. Consequently, the attacker gains the ability to execute workflows on behalf of the victim using their OAuth tokens, potentially accessing or manipulating resources the victim is authorized for. The vulnerability requires no prior authentication or user interaction beyond the victim being tricked into completing the OAuth flow. The CVSS 4.0 vector indicates network attack vector, low attack complexity, partial attack prerequisites, no privileges required, no user interaction, and low to limited impact on confidentiality and integrity, with no impact on availability. The vulnerability is mitigated by upgrading to n8n version 2.8.0 or later, where the ownership verification is restored. Temporary mitigations include avoiding enabling the vulnerable environment variable and restricting access to the n8n instance to fully trusted users, although these do not fully eliminate the risk.

This vulnerability allows attackers to hijack OAuth tokens of victims by exploiting a misconfiguration in n8n instances, enabling unauthorized execution of workflows under the victim's identity. The impact includes potential unauthorized access to connected services and data, manipulation of automated processes, and possible data leakage or integrity compromise depending on the workflows configured. Organizations using n8n with the vulnerable configuration risk unauthorized actions being performed in their environment, which could lead to operational disruption, data breaches, or privilege escalation within integrated systems. Since the vulnerability requires the environment variable to be explicitly set, the scope is limited to misconfigured instances, but the impact on those affected can be significant. The lack of known exploits in the wild reduces immediate risk, but the medium severity rating and ease of exploitation over the network without authentication highlight the importance of timely remediation.

1. Upgrade all n8n instances to version 2.8.0 or later immediately to ensure the OAuth callback handler performs proper ownership verification. 2. Audit current n8n deployments to identify if the environment variable N8N_SKIP_AUTH_ON_OAUTH_CALLBACK is set to true and disable it unless absolutely necessary. 3. If disabling the environment variable is not feasible immediately, restrict access to the n8n instance by implementing strict network segmentation, IP whitelisting, and strong authentication controls to limit usage to fully trusted users only. 4. Monitor OAuth flows and logs for unusual activity indicative of token misuse or unauthorized workflow executions. 5. Educate users about phishing and social engineering risks that could lead to being tricked into completing malicious OAuth flows. 6. Implement additional OAuth state parameter validation mechanisms if possible to detect anomalies. 7. Regularly review and update workflow permissions and OAuth credential scopes to minimize potential damage from compromised tokens.