SB2026052781 - Multiple vulnerabilities in n8n

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper access control in the Python Code Node sandbox when executing user-defined Python workflows. A remote user can create or modify a workflow containing a Python Code Node to execute arbitrary code.

Only instances with the Python Task Runner enabled are vulnerable.

2) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in the Git node Clone and Push operations when processing user-supplied repository paths. A remote user can supply a local filesystem path as the source or target repository to disclose sensitive information.

Only users with permission to create or modify workflows can exploit this issue, and the issue bypasses the N8N_RESTRICT_FILE_ACCESS_TO file sandbox.

Remediation

Install update from vendor's website.

References

• https://github.com/n8n-io/n8n/security/advisories/GHSA-9pq8-m8gp-4p53
• https://github.com/n8n-io/n8n/security/advisories/GHSA-5xp3-2w67-427v