Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

n8n — Vulnerabilities & Security Advisories 58

All 58 CVE vulnerabilities found in n8n, with AI-generated Chinese analysis, references, and POCs.

This page aggregates known vulnerabilities and security weaknesses for the workflow automation tool n8n, specifically focusing on Common Weakness Enumerations. It collects reports covering a wide spectrum of issues, including remote code execution, privilege escalation, and cross-site scripting flaws, spanning from early development versions through to recent stable releases up to the current year. Users can utilize this resource to track vendor advisories and security updates issued by n8n, gain a deeper understanding of specific weakness classes that may impact automation workflows, and look up a product’s comprehensive vulnerability history to assess long-term security trends. The data includes references to common exploitation techniques and contextual information regarding the severity and impact of each finding, helping administrators and developers prioritize remediation efforts. By consolidating these disparate sources into a single view, the page simplifies the process of monitoring the security posture of n8n deployments. It serves as a practical reference for security professionals seeking to evaluate risks associated with integrating n8n into their infrastructure. The content is organized to facilitate quick identification of relevant threats without overwhelming the reader with excessive technical detail, ensuring that essential information regarding patch availability and mitigation strategies is readily accessible. This approach supports informed decision-making when maintaining secure and resilient automated processes.

Vendor: n8n-io

CVE IDTitleCVSSSeverityPublished
CVE-2026-42237 n8n: SQL Injection in Snowflake and MySQL Nodes CWE-89 8.8 -2026-05-04
CVE-2026-42236 n8n: Unauthenticated Denial of Service via MCP Client Registration CWE-770 7.5 -2026-05-04
CVE-2026-42235 n8n: XSS via MCP OAuth client CWE-87 8.8 -2026-05-04
CVE-2026-42234 n8n: Python Task Runner Sandbox Escape CWE-94 9.9 -2026-05-04
CVE-2026-42233 n8n: SQL Injection in Oracle Database Node via Limit Field CWE-89 8.1 -2026-05-04
CVE-2026-42232 n8n: XML Node Prototype Pollution to RCE CWE-1321 8.8 -2026-05-04
CVE-2026-42231 n8n: Prototype Pollution in XML Webhook Body Parser Leads to RCE CWE-1321 9.9 -2026-05-04
CVE-2026-42230 n8n: Open Redirect in MCP OAuth Consent Flow CWE-601 6.1 -2026-05-04
CVE-2026-42229 n8n: SQL Injection in SeaTable Node CWE-89 8.1 -2026-05-04
CVE-2026-42228 n8n: Hijacking of Unauthenticated Chat Execution CWE-862 8.6 -2026-05-04
CVE-2026-42227 n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure CWE-639 6.5 -2026-05-04
CVE-2026-42226 n8n: Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay CWE-862 8.8 -2026-05-04
CVE-2026-33751 n8n Vulnerable to LDAP Filter Injection in LDAP Node CWE-90 8.2 -2026-03-25
CVE-2026-33749 n8n Vulnerable to XSS via Binary Data Inline HTML Rendering CWE-79 4.6 -2026-03-25
CVE-2026-33724 n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no CWE-639 6.5 -2026-03-25
CVE-2026-33722 n8n Has External Secrets Authorization Bypass in Credential Saving CWE-863 5.3 -2026-03-25
CVE-2026-33720 n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK CWE-863 5.4 -2026-03-25
CVE-2026-33713 n8n Vulnerable to SQL Injection in Data Table Node via orderByColumn Expression CWE-89 8.8 -2026-03-25
CVE-2026-33696 n8n Vulnerable to Prototype Pollution in XML & GSuiteAdmin node parameters lead to RCE CWE-1321 8.8 -2026-03-25
CVE-2026-33665 n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover CWE-287 8.5 -2026-03-25
CVE-2026-33663 n8n Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition CWE-639 6.5 -2026-03-25
CVE-2026-33660 n8n Has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode CWE-94 8.8 -2026-03-25
CVE-2026-27496 n8n has In-Process Memory Disclosure in its Task Runner CWE-908 6.5 -2026-03-25
CVE-2026-27498 n8n has Arbitrary Command Execution via File Write and Git Operations CWE-94 8.8AIHighAI2026-02-25
CVE-2026-27578 n8n Vulnerable to Stored XSS via Various Nodes CWE-80 5.4AIMediumAI2026-02-25
CVE-2026-27577 n8n: Expression Sandbox Escape Leads to RCE CWE-94 9.9AICriticalAI2026-02-25
CVE-2026-27497 n8n has Potential Remote Code Execution via Merge Node CWE-94 8.8AIHighAI2026-02-25
CVE-2026-27495 n8n has a Sandbox Escape in its JavaScript Task Runner CWE-94 8.5AIHighAI2026-02-25
CVE-2026-27494 n8n has Arbitrary File Read via Python Code Node Sandbox Escape CWE-497 9.9AICriticalAI2026-02-25
CVE-2026-27493 n8n has Unauthenticated Expression Evaluation via Form Node CWE-94 9.8AICriticalAI2026-02-25

All 58 known CVE vulnerabilities affecting n8n with full Chinese analysis, references, and POCs where available.