CVE-2026-33665

High

Published: 25 March 2026

Published

25 March 2026

Modified

30 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33665 is a high-severity Improper Authentication (CWE-287) vulnerability in N8N N8N. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AU-6 (Audit Record Review, Analysis, and Reporting).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-2 Account Management good match

preventdetect

AC-2 requires management, review, and auditing of accounts including external identity linkages to prevent and detect unauthorized account associations via email matching exploited in this CVE.

IA-4 Identifier Management partial match

prevent

IA-4 ensures identifiers such as email addresses are uniquely managed and assigned with authorization, mitigating spoofing of LDAP email attributes for improper account linkage.

AU-6 Audit Record Review, Analysis, and Reporting partial match

detect

AU-6 mandates review and analysis of audit records for authentication and account linkage events, enabling detection of unexpected LDAP-local account associations as recommended in mitigations.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Improper LDAP-to-local account linking (CWE-287) is a software flaw directly exploitable for privilege escalation from an authenticated LDAP user to a targeted high-privilege local account; the network-accessible n8n web application makes the flaw reachable via T1190 when LDAP is enabled.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

n8n is an open source workflow automation platform. Prior to versions 2.4.0 and 1.121.0, when LDAP authentication is enabled, n8n automatically linked an LDAP identity to an existing local account if the LDAP email attribute matched the local account's email.…

An authenticated LDAP user who could control their own LDAP email attribute could set it to match another user's email — including an administrator's — and upon login gain full access to that account. The account linkage persisted even if the LDAP email was later reverted, resulting in a permanent account takeover. LDAP authentication must be configured and active (non-default). The issue has been fixed in n8n versions 2.4.0 and 1.121.0. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable LDAP authentication until the instance can be upgraded, restrict LDAP directory permissions so that users cannot modify their own email attributes, and/or audit existing LDAP-linked accounts for unexpected account associations. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Deeper analysisAI

CVE-2026-33665 is an improper authentication vulnerability (CWE-287) affecting n8n, an open source workflow automation platform, in versions prior to 2.4.0 and 1.121.0. When LDAP authentication is enabled, n8n automatically links an LDAP identity to an existing local account if the LDAP email attribute matches the local account's email address. This linkage allows unauthorized access escalation, with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated LDAP user who can control their own LDAP email attribute can exploit this by setting it to match the email of another user, such as an administrator. Upon login, the attacker gains full access to the targeted local account. The linkage persists even if the LDAP email is later reverted, enabling permanent account takeover. Exploitation requires LDAP authentication to be configured and active, which is non-default.

The vulnerability is fixed in n8n versions 2.4.0 and 1.121.0; users should upgrade to these or later versions. Temporary mitigations include disabling LDAP authentication, restricting LDAP directory permissions to prevent users from modifying their own email attributes, and auditing existing LDAP-linked accounts for unexpected associations. These workarounds do not fully remediate the issue and are intended for short-term use only. Details are available in the advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-c545-x2rh-82fc.

Details

CWE(s): CWE-287

Affected Products

n8n

≤ 1.121.0 · 2.0.0 — 2.4.0

CVEs Like This One

CVE-2026-25056Same product: N8N N8N

CVE-2026-25049Same product: N8N N8N

CVE-2026-27495Same product: N8N N8N

CVE-2026-33749Same product: N8N N8N

CVE-2026-25115Same product: N8N N8N

CVE-2026-25055Same product: N8N N8N

CVE-2026-21877Same product: N8N N8N

CVE-2026-33696Same product: N8N N8N

CVE-2026-1470Same product: N8N N8N

CVE-2025-62726Same product: N8N N8N

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-c545-x2rh-82fc
Vendor Advisory, Mitigation · security-advisories@github.com