GHSA-vjf3-2gpj-233v: n8n has an SSO Enforcement Bypass in its Self-Service Settings API

February 26, 2026

An authenticated user signed in through Single Sign-On (SSO) could disable SSO enforcement for their own account through the n8n API. This allowed the user to create a local password and authenticate directly with email and password, completely bypassing the organization’s SSO policy, centralized identity management, and any identity-provider-enforced multi-factor authentication.

References

github.com/advisories/GHSA-vjf3-2gpj-233v
github.com/n8n-io/n8n
github.com/n8n-io/n8n/commit/a70b2ea379086da3de103bb84811e88cadf29976
github.com/n8n-io/n8n/releases/tag/n8n@2.8.0
github.com/n8n-io/n8n/security/advisories/GHSA-vjf3-2gpj-233v

Code Behaviors & Features

Detect and mitigate GHSA-vjf3-2gpj-233v with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →