CVE-2026-33660

| EUVD-2026-15942 CRITICAL
2026-03-25 GitHub_M GHSA-58qr-rcgv-642v
9.4
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
PoC Detected
Mar 30, 2026 - 14:54 vuln.today
Public exploit code
Analysis Generated
Mar 25, 2026 - 17:47 vuln.today
EUVD ID Assigned
Mar 25, 2026 - 17:47 euvd
EUVD-2026-15942
CVE Published
Mar 25, 2026 - 17:09 nvd
CRITICAL 9.4

Tags

RCE Code Injection

Description

n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could use the Merge node's "Combine by SQL" mode to read local files on the n8n host and achieve remote code execution. The AlaSQL sandbox did not sufficiently restrict certain SQL statements, allowing an attacker to access sensitive files on the server or even compromise the instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.26. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Analysis

An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit the Merge node's 'Combine by SQL' mode to read arbitrary local files on the n8n host and achieve remote code execution. n8n versions prior to 2.14.1, 2.13.3, and 1.123.26 are affected. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all n8n instances and document current versions; restrict workflow creation/modification privileges to essential personnel only; enable audit logging for all workflow changes. Within 7 days: Implement network segmentation to isolate n8n instances; disable the 'Combine by SQL' feature in the Merge node if operationally feasible; review audit logs for suspicious workflow activity. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

67
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +47
POC: +20

Share

CVE-2026-33660 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy