SB20260423154 - Multiple vulnerabilities in n8n

Description

This security bulletin contains information about 7 vulnerabilities.

1) Code Injection (CVE-ID: CVE-2026-33660)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of code generation in the Merge node's "Combine by SQL" mode when processing user-supplied SQL statements. A remote user can create or modify a workflow containing crafted SQL to execute arbitrary code.

The issue can also allow reading local files on the host.

2) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33663)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key in the credential resolution path and credentials permission checker when resolving and executing workflows with generic HTTP credentials. A remote user can resolve another user's credential ID and execute a workflow to disclose sensitive information.

This issue affects Community Edition only, and native integration credential types such as slackApi, openAiApi, and postgres are not affected.

3) Cross-site scripting (CVE-ID: CVE-2026-33749)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's authenticated session.

The vulnerability exists due to cross-site scripting in the /rest/binary-data endpoint when serving an HTML binary data object without a filename inline in the browser. A remote user can craft a workflow that produces the malicious binary data object and send the resulting URL to a victim to execute arbitrary JavaScript in a victim's authenticated session.

User interaction is required, and exploitation requires permission to create or modify workflows.

4) Prototype pollution (CVE-ID: CVE-2026-33696)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to prototype pollution in the GSuiteAdmin node when processing crafted node configuration parameters. A remote user can supply a crafted parameter to write attacker-controlled values onto Object.prototype to execute arbitrary code.

Exploitation requires permission to create or modify workflows.

5) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the Chat Trigger node Custom CSS field when rendering the public chat page. A remote user can inject malicious JavaScript into the Custom CSS field to execute arbitrary script in a victim's browser.

User interaction is required, as a victim must visit the chat URL.

6) SQL injection (CVE-ID: CVE-2026-33713)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary SQL statements.

The vulnerability exists due to SQL injection in the Data Table Get node when processing an expression in the orderByColumn field. A remote user can supply a crafted orderByColumn expression to execute arbitrary SQL statements.

On PostgreSQL deployments, multi-statement execution is possible, enabling data modification and deletion. On the default SQLite database, the attack surface is more limited because only single statements can be manipulated.

7) LDAP injection (CVE-ID: CVE-2026-33751)

CWE-ID: CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information or bypass authentication checks implemented in the workflow.

The vulnerability exists due to improper neutralization of special elements used in an LDAP query in the LDAP node filter escape logic when interpolating user-controlled input into LDAP search filters. A remote attacker can supply crafted input through expressions to disclose sensitive information or bypass authentication checks implemented in the workflow.

Exploitation requires a workflow configuration in which external user input is passed via expressions into the LDAP node's search parameters.

Remediation

Install update from vendor's website.

References

• https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v
• https://github.com/advisories/GHSA-58qr-rcgv-642v
• https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35
• https://github.com/n8n-io/n8n/security/advisories/GHSA-qfc3-hm4j-7q77
• https://github.com/advisories/GHSA-qfc3-hm4j-7q77
• https://github.com/n8n-io/n8n/security/advisories/GHSA-mxrg-77hm-89hv
• https://github.com/n8n-io/n8n/security/advisories/GHSA-3c7f-5hgj-h279
• https://github.com/advisories/GHSA-3c7f-5hgj-h279
• https://github.com/n8n-io/n8n/security/advisories/GHSA-98c2-4cr3-4jc3
• https://github.com/advisories/GHSA-98c2-4cr3-4jc3
• https://github.com/n8n-io/n8n/security/advisories/GHSA-w83q-mcmx-mh42
• https://github.com/advisories/GHSA-w83q-mcmx-mh42