SB2026070878 - Multiple vulnerabilities in n8n
Published: July 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 vulnerabilities.
1) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in the AI Agents node-execution tool when chatting with an agent that has node tools enabled. A remote user can chat with a crafted agent to escalate privileges.
On affected instances, the issue can expose credential secrets from the project, and if command- or file-capable tool nodes are enabled, exploitation may be extended to arbitrary command execution on the host.
2) Improper privilege management (CVE-ID: N/A)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in the Enterprise SSO instance-role provisioning feature when processing an Identity Provider role claim during authentication. A remote user can supply or influence an instance-role claim that resolves to the global:owner role to escalate privileges.
Only instances with Enterprise SSO configured and instance-role provisioning enabled via the N8N_SSO_SCOPES_PROVISION_INSTANCE_ROLE flag are vulnerable. Exploitation additionally requires control over the issued instance-role claim or its claim-to-role mapping.
3) Information disclosure (CVE-ID: N/A)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in execution data for LLM sub-nodes when storing custom header credential values during workflow runs. A remote user can read execution data to disclose sensitive information.
This issue only affects instances where workflows use LLM sub-nodes with custom headers defined in their credentials. Because execution data can be persisted to the database and exported, exposed values may remain accessible beyond a single execution.
4) Protection mechanism failure (CVE-ID: N/A)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to access the host filesystem and network without sandbox restrictions.
The vulnerability exists due to improper sandbox enforcement in the shell tool of the @n8n/computer-use package when executing shell commands on Linux or Windows. A remote user can run shell commands through the computer-use agent to access the host filesystem and network without sandbox restrictions.
Only deployments where the @n8n/computer-use package is explicitly installed and running are vulnerable.
5) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in the legacy expression evaluator computed-member sanitizer when evaluating crafted expressions. A remote user can create or modify a workflow containing a crafted expression to execute arbitrary code.
The legacy expression engine is the default engine in affected versions.
6) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to improper input validation in the Resource Locator component when opening workflow-persisted external links. A remote user can create a crafted workflow with a malicious cachedResultUrl value to execute arbitrary JavaScript in the victim's browser.
User interaction is required to open the crafted workflow and interact with external links.
7) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to access internal network resources via server-side request forgery.
The vulnerability exists due to improper access control in /rest/dynamic-node-parameters/ endpoints when handling requests with an absolute URL in the routing configuration. A remote user can send a specially crafted request to access internal network resources via server-side request forgery.
Workflow creation or execution is not required. The issue is exposed when SSRF protection is disabled by default.
8) Missing Authorization (CVE-ID: N/A)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to access and execute another user's protected workflow and disclose sensitive information.
The vulnerability exists due to improper authorization in the OAuth 2.1 consent and token-issuance flow for MCP Server Trigger workflows when processing OAuth resource access requests. A remote user can register an OAuth client, self-approve consent for another user's protected workflow, and obtain a valid token to access and execute another user's protected workflow and disclose sensitive information.
The workflow runs in the owner's project context with the owner's stored credentials, and the resulting executions appear under the owner's account and are not visible to the attacker. Only instances with an active workflow using an MCP Server Trigger node configured with n8n OAuth2 authentication are vulnerable.
9) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in the Token Exchange module when issuing access tokens from externally trusted JWTs. A remote user can obtain a token exchange JWT and invoke administrator-only Public API operations to escalate privileges.
Only instances with the Token Exchange feature and the Public API enabled are vulnerable. Exploitation requires access to an external JWT accepted by a configured trusted key. Role escalation additionally requires an Advanced Permissions license.
10) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in the Token Exchange module when issuing access tokens from externally trusted JWTs. A remote user can obtain a token exchange JWT and use administrator-level Public API capabilities to install community packages and execute arbitrary code.
Only instances with the Token Exchange feature and the Public API enabled are vulnerable. Exploitation requires access to an external JWT accepted by a configured trusted key. This code execution path additionally requires both community packages and unverified packages to be enabled.
11) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the GraphQL node when handling HTTP-based credentials for outbound requests. A remote user can configure the node to send requests to an attacker-controlled server to disclose sensitive information.
Only instances where a credential has "Allowed HTTP Request Domains" configured and is usable by non-owner users are vulnerable.
12) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in the victim's browser and access authenticated same-origin APIs.
The vulnerability exists due to cross-site scripting in the HTML preview iframe srcdoc handling when rendering execution output. A remote user can inject crafted content that bypasses sanitization to execute arbitrary script in the victim's browser and access authenticated same-origin APIs.
User interaction is required to open the preview, and the injected script runs same-origin as the editor.
13) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: N/A)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to a time-of-check time-of-use race condition in the Git node clone operation when cloning a repository. A remote user can swap a directory for a symlink after path validation to execute arbitrary code.
Exploitation requires the ability to create and run workflows using the Git node, and the planted repository is loaded as a custom node on the next restart.
14) Insertion of Sensitive Information Into Sent Data (CVE-ID: N/A)
CWE-ID: CWE-201 - Insertion of Sensitive Information Into Sent Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information and impersonate the configured Google service account.
The vulnerability exists due to insertion of sensitive information into sent data in JWT header generation when using Google Service Account credentials. A remote attacker can obtain or inspect a JWT header containing the full PEM private key to disclose sensitive information and impersonate the configured Google service account.
Only instances using Google Service Account credentials are affected.
Remediation
Install update from vendor's website.
References
- https://github.com/n8n-io/n8n/security/advisories/GHSA-x5vx-c2c8-m3w9
- https://github.com/n8n-io/n8n/security/advisories/GHSA-35q8-9mj6-wjmf
- https://github.com/n8n-io/n8n/security/advisories/GHSA-89gh-3pgc-v5h2
- https://github.com/n8n-io/n8n/security/advisories/GHSA-fpg6-x68q-5793
- https://github.com/n8n-io/n8n/security/advisories/GHSA-pm35-fqvh-cq5g
- https://github.com/n8n-io/n8n/security/advisories/GHSA-9wcp-9r3j-383q
- https://github.com/n8n-io/n8n/security/advisories/GHSA-9w78-79q7-r4fp
- https://github.com/n8n-io/n8n/security/advisories/GHSA-q5xf-xhwf-cwqf
- https://github.com/n8n-io/n8n/security/advisories/GHSA-777w-rpr6-c52h
- https://github.com/n8n-io/n8n/security/advisories/GHSA-gq66-9cw5-j5jm
- https://github.com/n8n-io/n8n/security/advisories/GHSA-p3rg-hrf9-w9gj
- https://github.com/n8n-io/n8n/security/advisories/GHSA-g3r5-9h93-4j2c
- https://github.com/n8n-io/n8n/security/advisories/GHSA-9r8p-h6cc-6qhm