Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

n8n-io — Vulnerabilities & Security Advisories 58

Browse all 58 CVE security advisories affecting n8n-io. AI-powered Chinese analysis, POCs, and references for each vulnerability.

n8n-io is a fair-code workflow automation platform enabling users to connect various services and build complex integrations without extensive coding. Its architecture, which relies heavily on Node.js and external service connections, has historically exposed it to a significant number of security issues, currently totaling 58 recorded CVEs. Common vulnerability classes include remote code execution (RCE), cross-site scripting (XSS), and improper access control, often stemming from insecure default configurations or insufficient input validation in its node execution engine. Notable incidents involve potential unauthorized access through exposed webhook endpoints and privilege escalation flaws within the user interface. The platform’s reliance on third-party libraries and dynamic workflow execution introduces inherent risks, requiring strict configuration management and regular updates to mitigate exploitation vectors. Users must implement robust network segmentation and monitor for suspicious activity to maintain security integrity.

Top products by n8n-io: n8n
CVE IDTitleCVSSSeverityPublished
CVE-2026-25631 Domain allowlist bypass enables credential exfiltration — n8nCWE-20 6.5AIMediumAI2026-02-06
CVE-2026-21893 n8n Vulnerable to Command Injection in Community Package Installation — n8nCWE-78 7.2AIHighAI2026-02-04
CVE-2026-25115 n8n is vulnerable to Python sandbox escape — n8nCWE-693 9.9AICriticalAI2026-02-04
CVE-2026-25056 n8n Arbitrary File Write leading to RCE in n8n Merge Node — n8nCWE-434 8.8AIHighAI2026-02-04
CVE-2026-25055 n8n Arbitrary File Write on Remote Systems via SSH Node — n8nCWE-22 10.0AICriticalAI2026-02-04
CVE-2026-25054 n8n is Vulnerable to Stored Cross-Site Scripting via Markdown Rendering in Workflow UI — n8nCWE-80 5.4AIMediumAI2026-02-04
CVE-2026-25053 n8n is Vulnerable to OS Command Injection in Git Node — n8nCWE-78 8.8AIHighAI2026-02-04
CVE-2026-25052 n8n Improper File Access Controls Allow Arbitrary File Read by Authenticated Users — n8nCWE-367 8.8AIHighAI2026-02-04
CVE-2026-25051 n8n Improper CSP Enforcement in Webhook Responses May Allow Stored XSS — n8nCWE-79 5.4AIMediumAI2026-02-04
CVE-2025-61917 n8n Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner — n8nCWE-668 7.7 High2026-02-04
CVE-2026-25049 n8n Has an Expression Escape Vulnerability Leading to RCE — n8nCWE-913 9.9AICriticalAI2026-02-04
CVE-2025-68949 n8n has a Webhook Node IP Whitelist Bypass via Partial String Matching — n8nCWE-134 5.3 Medium2026-01-13
CVE-2026-21894 n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks — n8nCWE-290 6.5 Medium2026-01-08
CVE-2026-21877 n8n is vulnerable to Remote Code Execution via Arbitrary File Write — n8nCWE-94 10.0 Critical2026-01-08
CVE-2026-21858 n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling — n8nCWE-20 10.0 Critical2026-01-07
CVE-2025-68697 Self-hosted n8n has Legacy Code node that enables arbitrary file read/write — n8nCWE-269 7.1 High2025-12-26
CVE-2025-68668 n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node — n8nCWE-693 9.9 Critical2025-12-26
CVE-2025-61914 n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox — n8nCWE-79 7.3 High2025-12-26
CVE-2025-68613 n8n Vulnerable to Remote Code Execution via Expression Injection — n8nCWE-913 10.0 Critical2025-12-19
CVE-2025-65964 n8n Vulnerable to Remote Code Execution via Git Node Custom Pre-Commit Hook — n8nCWE-829 9.8AICriticalAI2025-12-08
CVE-2025-62726 n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook — n8nCWE-829 8.8 High2025-10-30
CVE-2025-58177 n8n stored cross-site scripting in LangChain Chat Trigger node initialMessages parameter — n8nCWE-79 5.4 Medium2025-09-15
CVE-2025-57749 n8n has a symlink traversal vulnerability in "Read/Write File" node allows access to restricted files — n8nCWE-59 6.5 Medium2025-08-20
CVE-2025-52478 Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source — n8nCWE-79 8.7 High2025-08-19
CVE-2025-52554 n8n Improper Authorization in Workflow Execution Stop Endpoint Allows Terminating Other Users’ Workflows — n8nCWE-862 5.4AIMediumAI2025-07-03
CVE-2025-49595 n8n Vulnerable to Denial of Service via Malformed Binary Data Requests — n8nCWE-400 4.9 Medium2025-07-03
CVE-2025-49592 n8n Login Flow has Open Redirect Vulnerability — n8nCWE-601 4.6 Medium2025-06-26
CVE-2025-46343 n8n Vulnerable to Stored XSS through Attachments View Endpoint — n8nCWE-79 5.0 Medium2025-04-29

This page lists every published CVE security advisory associated with n8n-io. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.