Improper Authentication Affecting n8n package, versions <2.8.0

Q: How to fix?

Upgrade n8n to version 2.8.0 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Authentication vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-JS-N8N-15360951
published27 Feb 2026
disclosed26 Feb 2026
creditstanislavfortaisle

Report a new vulnerability Found a mistake?

Introduced: 26 Feb 2026

NewCWE-269 (opens in a new tab) CWE-284 (opens in a new tab) CWE-287 (opens in a new tab)

How to fix?

Upgrade n8n to version 2.8.0 or higher.

Overview

n8n is a n8n Workflow Automation Tool

Affected versions of this package are vulnerable to Improper Authentication via the Self-Service Settings API. An attacker can circumvent centralized identity management and multi-factor authentication by disabling SSO enforcement for their own account and creating local credentials after authenticating through SSO.

Workaround

This vulnerability can be mitigated by monitoring audit logs for users who create local credentials after authenticating via SSO and restricting the instance to fully trusted users only.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
High
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None