Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

n8n-io — Vulnerabilities & Security Advisories 58

Browse all 58 CVE security advisories affecting n8n-io. AI-powered Chinese analysis, POCs, and references for each vulnerability.

n8n-io is a fair-code workflow automation platform enabling users to connect various services and build complex integrations without extensive coding. Its architecture, which relies heavily on Node.js and external service connections, has historically exposed it to a significant number of security issues, currently totaling 58 recorded CVEs. Common vulnerability classes include remote code execution (RCE), cross-site scripting (XSS), and improper access control, often stemming from insecure default configurations or insufficient input validation in its node execution engine. Notable incidents involve potential unauthorized access through exposed webhook endpoints and privilege escalation flaws within the user interface. The platform’s reliance on third-party libraries and dynamic workflow execution introduces inherent risks, requiring strict configuration management and regular updates to mitigate exploitation vectors. Users must implement robust network segmentation and monitor for suspicious activity to maintain security integrity.

Top products by n8n-io: n8n
CVE IDTitleCVSSSeverityPublished
CVE-2026-42237 n8n: SQL Injection in Snowflake and MySQL Nodes — n8nCWE-89 8.8 -2026-05-04
CVE-2026-42236 n8n: Unauthenticated Denial of Service via MCP Client Registration — n8nCWE-770 7.5 -2026-05-04
CVE-2026-42235 n8n: XSS via MCP OAuth client — n8nCWE-87 8.8 -2026-05-04
CVE-2026-42234 n8n: Python Task Runner Sandbox Escape — n8nCWE-94 9.9 -2026-05-04
CVE-2026-42233 n8n: SQL Injection in Oracle Database Node via Limit Field — n8nCWE-89 8.1 -2026-05-04
CVE-2026-42232 n8n: XML Node Prototype Pollution to RCE — n8nCWE-1321 8.8 -2026-05-04
CVE-2026-42231 n8n: Prototype Pollution in XML Webhook Body Parser Leads to RCE — n8nCWE-1321 9.9 -2026-05-04
CVE-2026-42230 n8n: Open Redirect in MCP OAuth Consent Flow — n8nCWE-601 6.1 -2026-05-04
CVE-2026-42229 n8n: SQL Injection in SeaTable Node — n8nCWE-89 8.1 -2026-05-04
CVE-2026-42228 n8n: Hijacking of Unauthenticated Chat Execution — n8nCWE-862 8.6 -2026-05-04
CVE-2026-42227 n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure — n8nCWE-639 6.5 -2026-05-04
CVE-2026-42226 n8n: Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay — n8nCWE-862 8.8 -2026-05-04
CVE-2026-33751 n8n Vulnerable to LDAP Filter Injection in LDAP Node — n8nCWE-90 8.2 -2026-03-25
CVE-2026-33749 n8n Vulnerable to XSS via Binary Data Inline HTML Rendering — n8nCWE-79 4.6 -2026-03-25
CVE-2026-33724 n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no — n8nCWE-639 6.5 -2026-03-25
CVE-2026-33722 n8n Has External Secrets Authorization Bypass in Credential Saving — n8nCWE-863 5.3 -2026-03-25
CVE-2026-33720 n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK — n8nCWE-863 5.4 -2026-03-25
CVE-2026-33713 n8n Vulnerable to SQL Injection in Data Table Node via orderByColumn Expression — n8nCWE-89 8.8 -2026-03-25
CVE-2026-33696 n8n Vulnerable to Prototype Pollution in XML & GSuiteAdmin node parameters lead to RCE — n8nCWE-1321 8.8 -2026-03-25
CVE-2026-33665 n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover — n8nCWE-287 8.5 -2026-03-25
CVE-2026-33663 n8n Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition — n8nCWE-639 6.5 -2026-03-25
CVE-2026-33660 n8n Has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode — n8nCWE-94 8.8 -2026-03-25
CVE-2026-27496 n8n has In-Process Memory Disclosure in its Task Runner — n8nCWE-908 6.5 -2026-03-25
CVE-2026-27498 n8n has Arbitrary Command Execution via File Write and Git Operations — n8nCWE-94 8.8AIHighAI2026-02-25
CVE-2026-27578 n8n Vulnerable to Stored XSS via Various Nodes — n8nCWE-80 5.4AIMediumAI2026-02-25
CVE-2026-27577 n8n: Expression Sandbox Escape Leads to RCE — n8nCWE-94 9.9AICriticalAI2026-02-25
CVE-2026-27497 n8n has Potential Remote Code Execution via Merge Node — n8nCWE-94 8.8AIHighAI2026-02-25
CVE-2026-27495 n8n has a Sandbox Escape in its JavaScript Task Runner — n8nCWE-94 8.5AIHighAI2026-02-25
CVE-2026-27494 n8n has Arbitrary File Read via Python Code Node Sandbox Escape — n8nCWE-497 9.9AICriticalAI2026-02-25
CVE-2026-27493 n8n has Unauthenticated Expression Evaluation via Form Node — n8nCWE-94 9.8AICriticalAI2026-02-25

This page lists every published CVE security advisory associated with n8n-io. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.