From 70d64b73d864b5c4655db099392ed4dbfd93050f Mon Sep 17 00:00:00 2001
From: Ricardo Espinoza <ricardo@n8n.io>
Date: Fri, 12 Sep 2025 13:17:54 -0400
Subject: [PATCH] fix(core): Do not allow API usage when user is disabled
 (no-changelog) (#19485)

---
 .../__tests__/public-api-key.service.test.ts  | 24 +++++++++++++++++++
 .../src/services/public-api-key.service.ts    |  2 ++
 2 files changed, 26 insertions(+)

diff --git a/packages/cli/src/services/__tests__/public-api-key.service.test.ts b/packages/cli/src/services/__tests__/public-api-key.service.test.ts
index 2ea748d894..7eccb4edcd 100644
--- a/packages/cli/src/services/__tests__/public-api-key.service.test.ts
+++ b/packages/cli/src/services/__tests__/public-api-key.service.test.ts
@@ -233,6 +233,30 @@ describe('PublicApiKeyService', () => {
 				);
 			});
 		});
+
+		it('should return false if user is disabled', async () => {
+			//Arrange
+
+			const path = '/test';
+			const method = 'GET';
+			const apiVersion = 'v1';
+
+			const owner = await createOwnerWithApiKey();
+
+			await userRepository.update({ id: owner.id }, { disabled: true });
+
+			const [{ apiKey }] = owner.apiKeys;
+
+			const middleware = publicApiKeyService.getAuthMiddleware(apiVersion);
+
+			//Act
+
+			const response = await middleware(mockReqWith(apiKey, path, method), {}, securitySchema);
+
+			//Assert
+
+			expect(response).toBe(false);
+		});
 	});
 
 	describe('redactApiKey', () => {
diff --git a/packages/cli/src/services/public-api-key.service.ts b/packages/cli/src/services/public-api-key.service.ts
index f5d7778597..3e13961dd4 100644
--- a/packages/cli/src/services/public-api-key.service.ts
+++ b/packages/cli/src/services/public-api-key.service.ts
@@ -119,6 +119,8 @@ export class PublicApiKeyService {
 
 			if (!user) return false;
 
+			if (user.disabled) return false;
+
 			// Legacy API keys are not JWTs and do not need to be verified.
 			if (!providedApiKey.startsWith(PREFIX_LEGACY_API_KEY)) {
 				try {