SB2026031349 - Multiple vulnerabilities in n8n
Published: March 13, 2026 Updated: April 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Improper authentication (CVE-ID: N/A)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when the Chat Trigger node is configured with n8n User Auth authentication. A remote attacker can bypass authentication process and gain unauthorized access to the application.
2) Protection Mechanism Failure (CVE-ID: CVE-2026-27495)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. A remote user with permission to create or modify workflows can bypass the JavaScript Task Runner sandbox and execute arbitrary code outside the sandbox boundary.
3) Stored cross-site scripting (CVE-ID: CVE-2026-27578)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject arbitrary scripts into pages rendered by the n8n application using different techniques on various nodes execute arbitrary JavaScript code in user's browser in context of vulnerable website.
4) Code Injection (CVE-ID: CVE-2026-27493)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in Form nodes. A remote attacker can inject and evaluate arbitrary n8n expressions by submitting crafted form data.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) Code Injection (CVE-ID: CVE-2026-27497)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the Merge node. A remote user can send a specially crafted request and execute arbitrary code on the target system.
6) Code Injection (CVE-ID: CVE-2026-27577)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote user can send a specially crafted request and execute arbitrary code on the target system.
The vulnerability exists due to incomplete patch for #VU120269 (CVE-2025-68613).
7) Use of uninitialized resource (CVE-ID: CVE-2026-27496)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to use of uninitialized memory buffers in the JavaScript Task Runner when executing attacker-controlled workflows. A remote user can allocate uninitialized memory buffers to disclose sensitive information.
Task Runners must be enabled using N8N_RUNNERS_ENABLED=true. In external runner mode, the impact is limited to data within the external runner process.
8) Exposure of Sensitive System Information to an Unauthorized Control Sphere (CVE-ID: CVE-2026-27494)
CWE-ID: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code or disclose sensitive information.
The vulnerability exists due to insufficient restriction of built-in Python objects in the Python Code node sandbox when executing Python code in a workflow. A remote user can create or modify a workflow containing crafted Python code to execute arbitrary code or disclose sensitive information.
Task Runners must be enabled for exploitation. On instances using internal Task Runners, exploitation could result in full compromise of the n8n host. On instances using external Task Runners, exploitation might impact other tasks executed on the Task Runner.
Remediation
Install update from vendor's website.
References
- https://github.com/n8n-io/n8n/security/advisories/GHSA-jh8h-6c9q-7gmw
- https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23
- https://github.com/n8n-io/n8n/security/advisories/GHSA-2p9h-rqjw-gm92
- https://github.com/n8n-io/n8n/security/advisories/GHSA-75g8-rv7v-32f7
- https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869
- https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr
- https://github.com/n8n-io/n8n/security/advisories/GHSA-xvh5-5qg4-x9qp
- https://github.com/advisories/GHSA-xvh5-5qg4-x9qp
- https://github.com/n8n-io/n8n/security/advisories/GHSA-mmgg-m5j7-f83h
- https://github.com/advisories/GHSA-mmgg-m5j7-f83h