SB2026031349 - Multiple vulnerabilities in n8n



SB2026031349 - Multiple vulnerabilities in n8n

Published: March 13, 2026 Updated: April 30, 2026

Security Bulletin ID SB2026031349
CSH Severity
High
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 13% Medium 63% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 vulnerabilities.


1) Improper authentication (CVE-ID: N/A)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when the Chat Trigger node is configured with n8n User Auth authentication. A remote attacker can bypass authentication process and gain unauthorized access to the application.


2) Protection Mechanism Failure (CVE-ID: CVE-2026-27495)

CWE-ID: CWE-693 - Protection Mechanism Failure

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. A remote user with permission to create or modify workflows can bypass the JavaScript Task Runner sandbox and execute arbitrary code outside the sandbox boundary.


3) Stored cross-site scripting (CVE-ID: CVE-2026-27578)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject arbitrary scripts into pages rendered by the n8n application using different techniques on various nodes execute arbitrary JavaScript code in user's browser in context of vulnerable website.


4) Code Injection (CVE-ID: CVE-2026-27493)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Form nodes. A remote attacker can inject and evaluate arbitrary n8n expressions by submitting crafted form data.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


5) Code Injection (CVE-ID: CVE-2026-27497)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in the Merge node. A remote user can send a specially crafted request and execute arbitrary code on the target system.



6) Code Injection (CVE-ID: CVE-2026-27577)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote user can send a specially crafted request and execute arbitrary code on the target system.

The vulnerability exists due to incomplete patch for #VU120269 (CVE-2025-68613).



7) Use of uninitialized resource (CVE-ID: CVE-2026-27496)

CWE-ID: CWE-908 - Use of Uninitialized Resource

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to use of uninitialized memory buffers in the JavaScript Task Runner when executing attacker-controlled workflows. A remote user can allocate uninitialized memory buffers to disclose sensitive information.

Task Runners must be enabled using N8N_RUNNERS_ENABLED=true. In external runner mode, the impact is limited to data within the external runner process.


8) Exposure of Sensitive System Information to an Unauthorized Control Sphere (CVE-ID: CVE-2026-27494)

CWE-ID: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code or disclose sensitive information.

The vulnerability exists due to insufficient restriction of built-in Python objects in the Python Code node sandbox when executing Python code in a workflow. A remote user can create or modify a workflow containing crafted Python code to execute arbitrary code or disclose sensitive information.

Task Runners must be enabled for exploitation. On instances using internal Task Runners, exploitation could result in full compromise of the n8n host. On instances using external Task Runners, exploitation might impact other tasks executed on the Task Runner.


Remediation

Install update from vendor's website.