Description
n8n before 2.8.0 contains an authentication bypass vulnerability allowing authenticated SSO users to disable SSO enforcement through the API. Attackers can create local password credentials to authenticate directly, bypassing organizational SSO policies and identity-provider-enforced multi-factor authentication.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-vjf3-2gpj-233v)
https://github.com/n8n-io/n8n/security/advisories/GHSA-vjf3-2gpj-233v
Third Party Advisory third-party-advisory
VulnCheck Advisory: n8n - SSO Enforcement Bypass via API
https://www.vulncheck.com/advisories/n8n-sso-enforcement-bypass-via-api
Scores
CVSS v3
6.3
EPSS
0.0028
EPSS Percentile
19.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-285
Status
published
Products (2)
n8n/n8n
< 2.8.0 (2 CPE variants)
n8n/n8n
2.8.0
Published
Jun 30, 2026
Tracked Since
Jul 01, 2026