CVE-2026-33665: n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover

March 25, 2026

When LDAP authentication is enabled, n8n automatically linked an LDAP identity to an existing local account if the LDAP email attribute matched the local account’s email. An authenticated LDAP user who could control their own LDAP email attribute could set it to match another user’s email — including an administrator’s — and upon login gain full access to that account. The account linkage persisted even if the LDAP email was later reverted, resulting in a permanent account takeover.

LDAP authentication must be configured and active (non-default).

References

github.com/advisories/GHSA-c545-x2rh-82fc
github.com/n8n-io/n8n
github.com/n8n-io/n8n/security/advisories/GHSA-c545-x2rh-82fc
nvd.nist.gov/vuln/detail/CVE-2026-33665

Code Behaviors & Features

Detect and mitigate CVE-2026-33665 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →