SB2026051386 - Multiple vulnerabilities in n8n

Description

This security bulletin contains information about 2 vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:L/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to cause the server to issue HTTP requests including credentials to unintended hosts.

The vulnerability exists due to server-side request forgery in the POST /rest/dynamic-node-parameters/options endpoint when handling requests for dynamic node parameter options. A remote user can send a crafted request to cause the server to issue HTTP requests including credentials to unintended hosts.

Exploitation requires access to the credential.

2) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information and execute workflow-defined actions on downstream systems.

The vulnerability exists due to path traversal in the ExecuteWorkflow node localFile source option when handling REST API requests with user-supplied file paths. A remote user can supply an arbitrary file path to bypass file path restrictions to disclose sensitive information and execute workflow-defined actions on downstream systems.

The localFile source option is hidden from the UI but remains accessible through the REST API. Only files containing valid workflow JSON can be loaded and executed.

Remediation

Install update from vendor's website.

References

• https://github.com/n8n-io/n8n/security/advisories/GHSA-3875-8gcx-7v46
• https://github.com/n8n-io/n8n/security/advisories/GHSA-2vx9-7wpg-88jq