GHSA-vjf3-2gpj-233v

## Impact An authenticated user signed in through Single Sign-On (SSO) could disable SSO enforcement for their own account through the n8n API. This allowed the user to create a local password and authenticate directly with email and password, completely bypassing the organization's SSO policy, centralized identity management, and any identity-provider-enforced multi-factor authentication.

## Patches The issue has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability.

## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Monitor audit logs for users who create local credentials after authenticating via SSO. - Restrict the n8n instance to fully trusted users only.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.