SB2026031349 - Multiple vulnerabilities in n8n

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Improper authentication (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when the Chat Trigger node is configured with n8n User Auth authentication. A remote attacker can bypass authentication process and gain unauthorized access to the application.

2) Protection Mechanism Failure (CVE-ID: CVE-2026-27495)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. A remote user with permission to create or modify workflows can bypass the JavaScript Task Runner sandbox and execute arbitrary code outside the sandbox boundary.

3) Stored cross-site scripting (CVE-ID: CVE-2026-27578)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject arbitrary scripts into pages rendered by the n8n application using different techniques on various nodes execute arbitrary JavaScript code in user's browser in context of vulnerable website.

4) Code Injection (CVE-ID: CVE-2026-27493)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Form nodes. A remote attacker can inject and evaluate arbitrary n8n expressions by submitting crafted form data.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

5) Code Injection (CVE-ID: CVE-2026-27497)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in the Merge node. A remote user can send a specially crafted request and execute arbitrary code on the target system.

6) Code Injection (CVE-ID: CVE-2026-27577)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote user can send a specially crafted request and execute arbitrary code on the target system.

The vulnerability exists due to incomplete patch for #VU120269 (CVE-2025-68613).

Remediation

Install update from vendor's website.

References

• https://github.com/n8n-io/n8n/security/advisories/GHSA-jh8h-6c9q-7gmw
• https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23
• https://github.com/n8n-io/n8n/security/advisories/GHSA-2p9h-rqjw-gm92
• https://github.com/n8n-io/n8n/security/advisories/GHSA-75g8-rv7v-32f7
• https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869
• https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr