N8n
Monthly
Permission bypass in n8n's external secrets handling allows authenticated low-privilege users to exfiltrate secrets they are not authorized to access by exploiting a mismatch between the platform's static validation layer and its runtime expression engine. Affected are all n8n instances running versions before 1.123.61 (1.x branch), 2.27.4, or 2.28.1 (2.x branch) that have both an external secrets provider and Advanced Permissions configured. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the confidentiality impact is high for affected deployments given that secrets such as API keys and credentials may be fully exposed.
Unauthorized external secret disclosure in n8n before 2.28.1 allows authenticated project editors to read plaintext secret values from external secret managers by embedding references in workflow node expressions. The flaw bypasses the intended access control model: users with project editor roles - who are not granted explicit secrets access permissions - can nonetheless resolve and exfiltrate secrets via expression syntax. No public exploit or active exploitation has been identified, but the CVSS 4.0 vector assigns SC:H (high confidentiality impact on subsequent systems), reflecting that secrets stored in downstream vaults or secret managers are fully exposed to insufficiently privileged users.
Authentication bypass in the n8n Chat Trigger node allows unauthenticated network access to protected webhook endpoints when the node is explicitly configured with n8n User Auth - a non-default operator setting. Affected releases span all 1.x builds before 1.123.22, the entire 2.0.0-2.9.2 range, and 2.10.0. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the CVSS 4.0 score of 6.3 with AT:P correctly reflects that real-world exposure is bounded by the non-default configuration prerequisite.
File path restriction bypass in n8n before 2.19.3 allows authenticated users with workflow creation or modification rights to circumvent the N8N_RESTRICT_FILE_ACCESS_TO security boundary via a legacy REST API code path, enabling arbitrary file existence disclosure on the host filesystem. Where a targeted path contains valid workflow JSON, that file can additionally be loaded and executed by the n8n engine, potentially triggering downstream actions on all systems connected to that workflow. No public exploit or active exploitation has been identified at time of analysis, but the low complexity and broad impact on connected downstream systems make this a meaningful risk in multi-tenant or partially-trusted deployments.
Input validation bypass in n8n's Guardrail node (versions before 2.10.0) allows end users interacting with affected workflows to circumvent AI safety guardrail instructions through crafted inputs, undermining workflow integrity. Any n8n deployment running a workflow that incorporates the Guardrail node is exposed; instances not using that node are entirely unaffected regardless of version. No public exploit code has been identified and this CVE does not appear in CISA KEV; a vendor-confirmed patch is available in n8n 2.10.0.
Disk space exhaustion in n8n's data-table file upload endpoint allows an authenticated user to progressively fill the host's disk by repeatedly uploading files whose cumulative size is never checked against what already exists in the shared temporary directory. Affected versions span all n8n releases before 2.28.0 on the 2.x branch and before 1.123.58 on the 1.x branch. The flaw is rooted in a stateless per-request quota that ignores previously written files, enabling a low-privileged user to loop uploads between periodic cleanup cycles until disk space is exhausted, potentially disrupting the host and all co-resident services. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored cross-site scripting and open redirect vulnerabilities in n8n's Form Node allow authenticated users with workflow creation permissions to inject malicious scripts or phishing redirects that execute in the browsers of end users who interact with published forms. Affected across both the 1.x branch (before 1.123.24) and the 2.x branch (before 2.10.4 and 2.12.0). The attack surface is the Form Node's HTML description fields, which accept unsanitized markup, combined with an overly permissive iframe sandbox policy - creating a persistent attack vector embedded within legitimate workflows. No public exploit code or CISA KEV listing has been identified at time of analysis.
Credential disclosure in n8n workflow automation (versions prior to 1.123.61, 2.27.4, and 2.28.1) allows an authenticated member holding use-only editor access to a shared workflow to read credential-populated HTTP headers via the $request object inside an HTTP Request node's pagination expression, then exfiltrate the secret through returned item data. This defeats n8n's credential-hiding model, which is supposed to prevent low-privilege collaborators from seeing the underlying secret values. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the EPSS/POC signals were not provided.
Privilege escalation via prototype pollution in n8n workflow automation lets an authenticated low-privilege user (holding the default workflow:create permission) corrupt Object.prototype through a crafted workflow saved, updated, or imported via the workflow API. Once polluted, subsequent unauthenticated requests are evaluated as a privileged user, exposing internal user and project listing endpoints. This is an information-disclosure and access-control flaw with no public exploit identified at time of analysis; CVSS 4.0 base score is 7.1.
Authentication bypass in n8n's external identity resolution lets an attacker impersonate other users when the instance trusts more than one token-exchange issuer. Affecting n8n before 2.27.4 and version 2.28.0, the flaw stems from resolving federated identities using only the JWT sub claim while ignoring the iss claim, so a valid token from one trusted issuer whose sub matches a victim registered under a different issuer grants full access to that victim's account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the authentication-level impact (VC:H/VI:H) makes it a meaningful account-takeover risk for multi-issuer SSO deployments.
Credential secret exfiltration in n8n (self-hosted workflow automation) prior to 2.27.4 and 2.28.1 lets a low-privilege member with use-only access to a shared credential leak that secret to an attacker-controlled server. The AI Agents feature fails to enforce the 'Allowed HTTP Request Domains' restriction when an MCP tool is aimed at an arbitrary URL, so the guardrail meant to keep secrets in-bounds is bypassed. No public exploit identified at time of analysis; risk is elevated because the abuse comes from an already-authorized internal user rather than an outside attacker.
SQL injection in n8n's legacy MySQL v1 node (executeQuery operation) exposes the connected MySQL database to arbitrary query execution when workflow expressions interpolate attacker-controlled input without parameterization. Versions before 1.123.61 (1.x branch), 2.27.4 (2.x branch), and 2.28.1 (2.28.x branch) are affected when workflows combine the MySQL v1 node with externally-reachable triggers such as a Webhook node. No public exploit or CISA KEV listing is identified at time of analysis; however, deployments exposing such workflows to untrusted networks face high-severity database confidentiality and integrity risk.
Improper authorization in n8n before 2.28.0 enables authenticated users to assign workflows to folders belonging to foreign projects by supplying crafted payloads during workflow creation. The flaw (CWE-639) bypasses project and folder ownership checks entirely, allowing logical integrity violations across organizational boundaries in multi-project deployments. No active exploitation is confirmed (not in CISA KEV) and no public proof-of-concept code has been identified at time of analysis, though the vendor has released a fix in version 2.28.0.
Authorization bypass in n8n's Public API execution retry endpoint allows authenticated read-only users to trigger workflow executions they should not be permitted to run. The endpoint incorrectly authorizes requests against the workflow:read scope rather than the required workflow:execute scope, collapsing the intended permission boundary between read and execute access. This affects n8n instances before 2.25.7 and 2.26.x before 2.26.2 where workflows are shared across users or projects; no public exploit has been identified at time of analysis, and a vendor patch is available.
{workflowId}/test-runs/new endpoint incorrectly validates the workflow:read scope instead of the required workflow:execute scope, enabling any project-level viewer to invoke the internal workflow runner without execute privileges. This results in unintended outbound API calls and data mutations to downstream connected systems - a meaningful integrity risk in multi-tenant RBAC deployments. No public exploit or CISA KEV listing exists at time of analysis.
Incorrect authorization in n8n's evaluation test-run API endpoints allows authenticated project viewers to perform state-changing operations reserved for users with execute permissions. On Enterprise and Cloud deployments running Advanced Permissions with projects and viewer roles configured, an authenticated project:viewer can start new evaluation test runs, cancel in-flight runs, and delete run records for workflows they have only read access to - bypassing the intended workflow:execute scope gate. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS 4.0 score of 5.3 (PR:L) reflects the authenticated, low-complexity nature of the flaw.
Webhook signature bypass in n8n's ZendeskTrigger node allows network-adjacent attackers who possess the webhook URL to inject arbitrary data into n8n workflows by sending unsigned POST requests. The ZendeskTrigger node omits the mandatory HMAC-SHA256 verification step that Zendesk's webhook security model requires, treating any inbound POST as a legitimate Zendesk event. This affects n8n v1.x before 1.123.18 and v2.x before 2.6.2; no public exploit or CISA KEV designation has been identified at time of analysis.
Stored cross-site scripting in n8n before 2.8.0 allows authenticated low-privilege users to inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields within the credential management flow. When a victim - potentially a higher-privileged user - clicks the OAuth authorization button on the crafted credential, arbitrary scripts execute in their browser session carrying the victim's privileges. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the stored nature of the payload means a single malicious credential can be surfaced to multiple targets in collaborative n8n environments.
Arbitrary command execution in the n8n workflow automation platform lets authenticated users abuse the built-in Execute Command node to run OS commands directly on the host running n8n. Any user with workflow-editing access or stolen credentials can leverage this by-design node to exfiltrate data, disrupt the service, or fully compromise the underlying host, and CWE-284 (Improper Access Control) reflects that command execution is not restricted to trusted operators. Reported by VulnCheck; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
The Python Code node in n8n allows authenticated workflow editors to bypass the AST security validator by crafting Python code that evades an incomplete blocklist (CWE-184), reaching the task executor module namespace. Affected self-hosted n8n deployments running versions before 2.25.7 or 2.26.x before 2.26.2 with the Python Task Runner enabled are exposed to environment variable disclosure when N8N_BLOCK_RUNNER_ENV_ACCESS is not set to restrict access, potentially leaking API keys, database credentials, or other secrets injected at process startup. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Stored XSS in n8n's Chat Trigger node allows authenticated workflow editors to inject JavaScript through a misconfigured sanitize-html filter in the Custom CSS field, which then executes in the browsers of every user visiting the public chat page. Affected are all 1.x releases before 1.123.27, the 2.0.0-2.13.2 range, and 2.14.0; fixed versions are 1.123.27, 2.13.3, and 2.14.1. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS 4.0 score of 5.1 reflects the authenticated prerequisite and bounded per-user impact.
SSO enforcement bypass in n8n before 2.8.0 allows any authenticated SSO user to disable organization-wide SSO enforcement via the API, then register a local password credential, permanently decoupling their account from the identity provider. This defeats identity-provider-enforced MFA and enables persistent access that survives SSO policy changes or user deprovisioning in the IdP. No public exploit code has been identified at time of analysis, but the technique requires only a valid SSO session and knowledge of the relevant API endpoint.
Stored XSS in n8n's Form Trigger node allows any authenticated low-privilege user with workflow creation rights to inject persistent malicious scripts that execute for every visitor of a published form. Affects n8n 1.x before 1.123.25 and 2.x from 2.0.0-rc.0 before 2.11.2. No public exploit or active exploitation identified at time of analysis; the CVSS 4.0 score of 5.1 reflects partial CSP mitigation blocking session cookie theft while still permitting form hijacking and phishing against unlimited downstream victims.
SQL injection in n8n's MySQL, PostgreSQL, and Microsoft SQL database integration nodes (all versions before 2.4.0) allows authenticated users with workflow creation permissions to execute arbitrary SQL commands against connected databases by supplying crafted identifier values - table or column names - in node configuration parameters. The nodes failed to escape SQL identifiers when constructing queries, bypassing the safety guarantees users expected from parameterized inputs and enabling injection that directly impacts downstream database confidentiality and integrity. Reported by the NATO Cyber Security Centre; vendor-released patch is confirmed in n8n 2.4.0, with no public exploit code or CISA KEV listing identified at time of analysis.
Webhook forgery in n8n's GitHub Webhook Trigger node allows unauthenticated remote attackers to spoof GitHub events and trigger arbitrary workflow execution by sending unsigned POST requests to any known webhook URL. The root cause is a complete absence of HMAC-SHA256 signature verification - the cryptographic control GitHub provides specifically to authenticate webhook deliveries - meaning n8n accepted all inbound POST traffic without validation. Affected versions span the v1 branch (below 1.123.15) and v2 branch (2.0.0 through 2.5.0); no public exploit code or CISA KEV listing exists at time of analysis, but the attack is trivially executable by any party possessing the webhook URL.
Server-Side Request Forgery (SSRF) in n8n's dynamic node parameters endpoint allows authenticated users with credential access to bypass the platform's Allowed HTTP Request Domains restriction, causing the n8n server to issue outbound HTTP requests carrying stored credentials to attacker-controlled or unauthorized hosts. All n8n deployments prior to version 2.20.0 are affected regardless of domain restriction configuration, as the restriction is not enforced on the POST /rest/dynamic-node-parameters/options endpoint. No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is low-complexity once authentication is obtained.
A stored cross-site scripting (XSS) vulnerability in n8n workflow automation platform allows authenticated users to craft malicious workflows that execute arbitrary JavaScript in the browsers of higher-privileged users. Affected versions are n8n prior to 1.123.27, 2.13.3, and 2.14.1 (identified via CPE cpe:2.3:a:n8n-io:n8n). An attacker with workflow creation/modification permissions can exploit the `/rest/binary-data` endpoint's failure to properly sanitize HTML responses, enabling credential theft, workflow manipulation, and privilege escalation to administrative access with full same-origin context.
n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allows network-positioned attackers to perform man-in-the-middle attacks against Git operations. Affected users who have explicitly enabled and configured SSH-based source control can have their workflows injected with malicious content or have repository data intercepted without authentication. While the feature is non-default and requires explicit configuration, the vulnerability enables complete compromise of workflow integrity and potential lateral movement within automation pipelines.
This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callback handler that occurs when the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK environment variable is explicitly set to true. An attacker can manipulate the OAuth state parameter verification to trick a victim into completing an OAuth flow that stores the victim's OAuth tokens in an attacker-controlled credential object, allowing the attacker to execute workflows using the victim's delegated permissions. The vulnerability affects n8n versions prior to 2.8.0 and requires non-default configuration to be exploitable, limiting its widespread impact but creating significant risk for affected deployments.
Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP email attribute to match a target account's email address, gaining full access that persists even after reverting the email change. This authentication bypass (CWE-287) affects n8n versions prior to 2.4.0 and 1.121.0 where LDAP is configured, and public exploit code exists. The vulnerability requires LDAP to be actively enabled and the attacker to control their own LDAP email attribute, creating a critical account takeover risk for administrators.
An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit the Merge node's 'Combine by SQL' mode to read arbitrary local files on the n8n host and achieve remote code execution. n8n versions prior to 2.14.1, 2.13.3, and 1.123.26 are affected. The vulnerability carries a CVSS 4.0 score of 9.4 (Critical) due to insufficient sandbox restrictions in the AlaSQL component, allowing SQL injection-style attacks against the host system. No public proof-of-concept or active exploitation (KEV) status has been reported at this time.
n8n is an open source workflow automation platform. [CVSS 5.4 MEDIUM]
Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path through the expression engine. Patch available.
Remote code execution in n8n workflow automation platform allows authenticated users with workflow creation or modification permissions to execute arbitrary shell commands by chaining file write operations with git functions to manipulate configuration files. Versions prior to 2.2.0 and 1.123.8 are affected, and administrators should upgrade immediately or restrict workflow editing permissions to trusted users only.
Authenticated users with workflow modification permissions in n8n versions prior to 2.10.1, 2.9.3, and 1.123.22 can exploit the Merge node's SQL query mode to execute arbitrary code and write files on the server. This high-severity vulnerability (CVSS 8.8) affects the AI/ML and workflow automation platform, allowing attackers with legitimate access to achieve complete system compromise. No patch is currently available, and administrators should restrict workflow permissions or disable the Merge node as temporary mitigations.
Code injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22 allows authenticated users to execute arbitrary code by creating or editing workflows with malicious expressions. Third n8n RCE CVE in this release.
Python sandbox escape in n8n workflow automation before 2.10.1/2.9.3/1.123.22. Users who can modify workflows can escape the Python Code node sandbox for full host compromise on instances using internal Task Runners.
Second-order expression injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22. Crafted workflow data triggers expression evaluation leading to code execution. Patch available.
Improper credential domain validation in n8n's HTTP Request node prior to version 1.121.0 enables authenticated attackers to redirect requests containing credentials to unintended domains, risking credential theft for users with wildcard domain patterns in their allowed domains configuration. The vulnerability requires valid authentication and has a low exploitation probability, with no public exploit currently available.
n8n versions 0.187.0 through 1.120.2 contain a command injection vulnerability in the community package installation feature that allows authenticated administrators to execute arbitrary system commands on the host. The vulnerability requires high privilege access and specific conditions to exploit but carries high risk due to potential complete system compromise. A patch is available in version 1.120.3.
n8n has a protection mechanism bypass (CVSS 9.9) in the Python sandbox allowing authenticated users to escape code execution restrictions.
N8N versions up to 1.118.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
n8n is an open source workflow automation platform. [CVSS 8.1 HIGH]
Stored cross-site scripting in n8n's markdown rendering component allows authenticated users to inject malicious scripts into workflows and sticky notes that execute with session privileges when viewed by other users. An attacker with workflow modification permissions can exploit this to hijack sessions and compromise accounts of users who interact with affected workflows. Versions 1.123.9 and 2.2.1 contain fixes for this vulnerability.
n8n has a command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands through workflow definitions.
n8n has a TOCTOU race condition vulnerability (CVSS 9.9) enabling bypass of execution restrictions in workflow processing.
Improper Content Security Policy enforcement in n8n workflow automation allows authenticated users to inject persistent XSS payloads into webhook responses that execute with same-origin privileges when other users access the affected workflows. An attacker with workflow creation/modification permissions could exploit this to hijack sessions and compromise user accounts. The vulnerability affects n8n versions prior to 1.123.2.
n8n workflow automation platform has an authenticated code execution vulnerability (CVSS 9.9) through improper runtime behavior modification, enabling server takeover.
n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. [CVSS 7.7 HIGH]
n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through crafted workflow expressions.
Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox restrictions and execute arbitrary code on the underlying operating system, with full instance takeover possible in Internal execution mode. Public exploit code exists for this vulnerability, which affects n8n deployments running under Internal execution mode where the Python executor has direct OS access. External execution mode deployments using Docker sidecars have reduced impact as code execution is confined to the container rather than the main node.
n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. [CVSS 5.3 MEDIUM]
n8n versions 0.150.0 through 2.2.1 lack webhook signature verification in the Stripe Trigger node, enabling unauthenticated attackers to forge Stripe events and trigger workflows by sending crafted POST requests to known webhook URLs. Affected users with active Stripe Trigger workflows could experience unauthorized execution of automation logic, potentially allowing attackers to simulate fraudulent payment or subscription events. A patch is available in version 2.2.2 and later.
n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with scope change enabling full compromise of both self-hosted and cloud instances. EPSS 12.5% indicates high exploitation activity. Patch available.
n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical CVSS 10.0 vulnerability enabling remote attackers to read sensitive files from the server, with potential for further compromise. PoC available.
n8n is an open source workflow automation platform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1.95.3, v1.100.1, and v1.101.1 allows attackers to execute arbitrary code via uploading a crafted HTML file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
n8n is a workflow automation platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
n8n is a workflow automation platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
n8n is a workflow automation platform. Prior to version 1.99.1, an authorization vulnerability was discovered in the /rest/executions/:id/stop endpoint of n8n. An authenticated user can stop workflow executions that they do not own or that have not been shared with them, leading to potential business disruption. This issue has been patched in version 1.99.1. A workaround involves restricting access to the /rest/executions/:id/stop endpoint via reverse proxy or API gateway.
n8n is a workflow automation platform. Prior to version 1.99.0, there is a denial of Service vulnerability in /rest/binary-data endpoint when processing empty filesystem URIs (filesystem:// or filesystem-v2://). This allows authenticated attackers to cause service unavailability through malformed filesystem URI requests, effecting the /rest/binary-data endpoint and n8n.cloud instances (confirmed HTTP/2 524 timeout responses). Attackers can exploit this by sending GET requests with empty filesystem URIs (filesystem:// or filesystem-v2://) to the /rest/binary-data endpoint, causing resource exhaustion and service disruption. This issue has been patched in version 1.99.0.
n8n is a workflow automation platform. Versions prior to 1.98.0 have an Open Redirect vulnerability in the login flow. Authenticated users can be redirected to untrusted, attacker-controlled domains after logging in, by crafting malicious URLs with a misleading redirect query parameter. This may lead to phishing attacks by impersonating the n8n UI on lookalike domains (e.g., n8n.local.evil.com), credential or 2FA theft if users are tricked into re-entering sensitive information, and/or reputation risk due to the visual similarity between attacker-controlled domains and trusted ones. The vulnerability affects anyone hosting n8n and exposing the `/signin` endpoint to users. The issue has been patched in version 1.98.0. All users should upgrade to this version or later. The fix introduces strict origin validation for redirect URLs, ensuring only same-origin or relative paths are allowed after login.
n8n is a workflow automation platform. Rated medium severity (CVSS 5.0). This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Permission bypass in n8n's external secrets handling allows authenticated low-privilege users to exfiltrate secrets they are not authorized to access by exploiting a mismatch between the platform's static validation layer and its runtime expression engine. Affected are all n8n instances running versions before 1.123.61 (1.x branch), 2.27.4, or 2.28.1 (2.x branch) that have both an external secrets provider and Advanced Permissions configured. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the confidentiality impact is high for affected deployments given that secrets such as API keys and credentials may be fully exposed.
Unauthorized external secret disclosure in n8n before 2.28.1 allows authenticated project editors to read plaintext secret values from external secret managers by embedding references in workflow node expressions. The flaw bypasses the intended access control model: users with project editor roles - who are not granted explicit secrets access permissions - can nonetheless resolve and exfiltrate secrets via expression syntax. No public exploit or active exploitation has been identified, but the CVSS 4.0 vector assigns SC:H (high confidentiality impact on subsequent systems), reflecting that secrets stored in downstream vaults or secret managers are fully exposed to insufficiently privileged users.
Authentication bypass in the n8n Chat Trigger node allows unauthenticated network access to protected webhook endpoints when the node is explicitly configured with n8n User Auth - a non-default operator setting. Affected releases span all 1.x builds before 1.123.22, the entire 2.0.0-2.9.2 range, and 2.10.0. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the CVSS 4.0 score of 6.3 with AT:P correctly reflects that real-world exposure is bounded by the non-default configuration prerequisite.
File path restriction bypass in n8n before 2.19.3 allows authenticated users with workflow creation or modification rights to circumvent the N8N_RESTRICT_FILE_ACCESS_TO security boundary via a legacy REST API code path, enabling arbitrary file existence disclosure on the host filesystem. Where a targeted path contains valid workflow JSON, that file can additionally be loaded and executed by the n8n engine, potentially triggering downstream actions on all systems connected to that workflow. No public exploit or active exploitation has been identified at time of analysis, but the low complexity and broad impact on connected downstream systems make this a meaningful risk in multi-tenant or partially-trusted deployments.
Input validation bypass in n8n's Guardrail node (versions before 2.10.0) allows end users interacting with affected workflows to circumvent AI safety guardrail instructions through crafted inputs, undermining workflow integrity. Any n8n deployment running a workflow that incorporates the Guardrail node is exposed; instances not using that node are entirely unaffected regardless of version. No public exploit code has been identified and this CVE does not appear in CISA KEV; a vendor-confirmed patch is available in n8n 2.10.0.
Disk space exhaustion in n8n's data-table file upload endpoint allows an authenticated user to progressively fill the host's disk by repeatedly uploading files whose cumulative size is never checked against what already exists in the shared temporary directory. Affected versions span all n8n releases before 2.28.0 on the 2.x branch and before 1.123.58 on the 1.x branch. The flaw is rooted in a stateless per-request quota that ignores previously written files, enabling a low-privileged user to loop uploads between periodic cleanup cycles until disk space is exhausted, potentially disrupting the host and all co-resident services. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored cross-site scripting and open redirect vulnerabilities in n8n's Form Node allow authenticated users with workflow creation permissions to inject malicious scripts or phishing redirects that execute in the browsers of end users who interact with published forms. Affected across both the 1.x branch (before 1.123.24) and the 2.x branch (before 2.10.4 and 2.12.0). The attack surface is the Form Node's HTML description fields, which accept unsanitized markup, combined with an overly permissive iframe sandbox policy - creating a persistent attack vector embedded within legitimate workflows. No public exploit code or CISA KEV listing has been identified at time of analysis.
Credential disclosure in n8n workflow automation (versions prior to 1.123.61, 2.27.4, and 2.28.1) allows an authenticated member holding use-only editor access to a shared workflow to read credential-populated HTTP headers via the $request object inside an HTTP Request node's pagination expression, then exfiltrate the secret through returned item data. This defeats n8n's credential-hiding model, which is supposed to prevent low-privilege collaborators from seeing the underlying secret values. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the EPSS/POC signals were not provided.
Privilege escalation via prototype pollution in n8n workflow automation lets an authenticated low-privilege user (holding the default workflow:create permission) corrupt Object.prototype through a crafted workflow saved, updated, or imported via the workflow API. Once polluted, subsequent unauthenticated requests are evaluated as a privileged user, exposing internal user and project listing endpoints. This is an information-disclosure and access-control flaw with no public exploit identified at time of analysis; CVSS 4.0 base score is 7.1.
Authentication bypass in n8n's external identity resolution lets an attacker impersonate other users when the instance trusts more than one token-exchange issuer. Affecting n8n before 2.27.4 and version 2.28.0, the flaw stems from resolving federated identities using only the JWT sub claim while ignoring the iss claim, so a valid token from one trusted issuer whose sub matches a victim registered under a different issuer grants full access to that victim's account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the authentication-level impact (VC:H/VI:H) makes it a meaningful account-takeover risk for multi-issuer SSO deployments.
Credential secret exfiltration in n8n (self-hosted workflow automation) prior to 2.27.4 and 2.28.1 lets a low-privilege member with use-only access to a shared credential leak that secret to an attacker-controlled server. The AI Agents feature fails to enforce the 'Allowed HTTP Request Domains' restriction when an MCP tool is aimed at an arbitrary URL, so the guardrail meant to keep secrets in-bounds is bypassed. No public exploit identified at time of analysis; risk is elevated because the abuse comes from an already-authorized internal user rather than an outside attacker.
SQL injection in n8n's legacy MySQL v1 node (executeQuery operation) exposes the connected MySQL database to arbitrary query execution when workflow expressions interpolate attacker-controlled input without parameterization. Versions before 1.123.61 (1.x branch), 2.27.4 (2.x branch), and 2.28.1 (2.28.x branch) are affected when workflows combine the MySQL v1 node with externally-reachable triggers such as a Webhook node. No public exploit or CISA KEV listing is identified at time of analysis; however, deployments exposing such workflows to untrusted networks face high-severity database confidentiality and integrity risk.
Improper authorization in n8n before 2.28.0 enables authenticated users to assign workflows to folders belonging to foreign projects by supplying crafted payloads during workflow creation. The flaw (CWE-639) bypasses project and folder ownership checks entirely, allowing logical integrity violations across organizational boundaries in multi-project deployments. No active exploitation is confirmed (not in CISA KEV) and no public proof-of-concept code has been identified at time of analysis, though the vendor has released a fix in version 2.28.0.
Authorization bypass in n8n's Public API execution retry endpoint allows authenticated read-only users to trigger workflow executions they should not be permitted to run. The endpoint incorrectly authorizes requests against the workflow:read scope rather than the required workflow:execute scope, collapsing the intended permission boundary between read and execute access. This affects n8n instances before 2.25.7 and 2.26.x before 2.26.2 where workflows are shared across users or projects; no public exploit has been identified at time of analysis, and a vendor patch is available.
{workflowId}/test-runs/new endpoint incorrectly validates the workflow:read scope instead of the required workflow:execute scope, enabling any project-level viewer to invoke the internal workflow runner without execute privileges. This results in unintended outbound API calls and data mutations to downstream connected systems - a meaningful integrity risk in multi-tenant RBAC deployments. No public exploit or CISA KEV listing exists at time of analysis.
Incorrect authorization in n8n's evaluation test-run API endpoints allows authenticated project viewers to perform state-changing operations reserved for users with execute permissions. On Enterprise and Cloud deployments running Advanced Permissions with projects and viewer roles configured, an authenticated project:viewer can start new evaluation test runs, cancel in-flight runs, and delete run records for workflows they have only read access to - bypassing the intended workflow:execute scope gate. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS 4.0 score of 5.3 (PR:L) reflects the authenticated, low-complexity nature of the flaw.
Webhook signature bypass in n8n's ZendeskTrigger node allows network-adjacent attackers who possess the webhook URL to inject arbitrary data into n8n workflows by sending unsigned POST requests. The ZendeskTrigger node omits the mandatory HMAC-SHA256 verification step that Zendesk's webhook security model requires, treating any inbound POST as a legitimate Zendesk event. This affects n8n v1.x before 1.123.18 and v2.x before 2.6.2; no public exploit or CISA KEV designation has been identified at time of analysis.
Stored cross-site scripting in n8n before 2.8.0 allows authenticated low-privilege users to inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields within the credential management flow. When a victim - potentially a higher-privileged user - clicks the OAuth authorization button on the crafted credential, arbitrary scripts execute in their browser session carrying the victim's privileges. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the stored nature of the payload means a single malicious credential can be surfaced to multiple targets in collaborative n8n environments.
Arbitrary command execution in the n8n workflow automation platform lets authenticated users abuse the built-in Execute Command node to run OS commands directly on the host running n8n. Any user with workflow-editing access or stolen credentials can leverage this by-design node to exfiltrate data, disrupt the service, or fully compromise the underlying host, and CWE-284 (Improper Access Control) reflects that command execution is not restricted to trusted operators. Reported by VulnCheck; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
The Python Code node in n8n allows authenticated workflow editors to bypass the AST security validator by crafting Python code that evades an incomplete blocklist (CWE-184), reaching the task executor module namespace. Affected self-hosted n8n deployments running versions before 2.25.7 or 2.26.x before 2.26.2 with the Python Task Runner enabled are exposed to environment variable disclosure when N8N_BLOCK_RUNNER_ENV_ACCESS is not set to restrict access, potentially leaking API keys, database credentials, or other secrets injected at process startup. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Stored XSS in n8n's Chat Trigger node allows authenticated workflow editors to inject JavaScript through a misconfigured sanitize-html filter in the Custom CSS field, which then executes in the browsers of every user visiting the public chat page. Affected are all 1.x releases before 1.123.27, the 2.0.0-2.13.2 range, and 2.14.0; fixed versions are 1.123.27, 2.13.3, and 2.14.1. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS 4.0 score of 5.1 reflects the authenticated prerequisite and bounded per-user impact.
SSO enforcement bypass in n8n before 2.8.0 allows any authenticated SSO user to disable organization-wide SSO enforcement via the API, then register a local password credential, permanently decoupling their account from the identity provider. This defeats identity-provider-enforced MFA and enables persistent access that survives SSO policy changes or user deprovisioning in the IdP. No public exploit code has been identified at time of analysis, but the technique requires only a valid SSO session and knowledge of the relevant API endpoint.
Stored XSS in n8n's Form Trigger node allows any authenticated low-privilege user with workflow creation rights to inject persistent malicious scripts that execute for every visitor of a published form. Affects n8n 1.x before 1.123.25 and 2.x from 2.0.0-rc.0 before 2.11.2. No public exploit or active exploitation identified at time of analysis; the CVSS 4.0 score of 5.1 reflects partial CSP mitigation blocking session cookie theft while still permitting form hijacking and phishing against unlimited downstream victims.
SQL injection in n8n's MySQL, PostgreSQL, and Microsoft SQL database integration nodes (all versions before 2.4.0) allows authenticated users with workflow creation permissions to execute arbitrary SQL commands against connected databases by supplying crafted identifier values - table or column names - in node configuration parameters. The nodes failed to escape SQL identifiers when constructing queries, bypassing the safety guarantees users expected from parameterized inputs and enabling injection that directly impacts downstream database confidentiality and integrity. Reported by the NATO Cyber Security Centre; vendor-released patch is confirmed in n8n 2.4.0, with no public exploit code or CISA KEV listing identified at time of analysis.
Webhook forgery in n8n's GitHub Webhook Trigger node allows unauthenticated remote attackers to spoof GitHub events and trigger arbitrary workflow execution by sending unsigned POST requests to any known webhook URL. The root cause is a complete absence of HMAC-SHA256 signature verification - the cryptographic control GitHub provides specifically to authenticate webhook deliveries - meaning n8n accepted all inbound POST traffic without validation. Affected versions span the v1 branch (below 1.123.15) and v2 branch (2.0.0 through 2.5.0); no public exploit code or CISA KEV listing exists at time of analysis, but the attack is trivially executable by any party possessing the webhook URL.
Server-Side Request Forgery (SSRF) in n8n's dynamic node parameters endpoint allows authenticated users with credential access to bypass the platform's Allowed HTTP Request Domains restriction, causing the n8n server to issue outbound HTTP requests carrying stored credentials to attacker-controlled or unauthorized hosts. All n8n deployments prior to version 2.20.0 are affected regardless of domain restriction configuration, as the restriction is not enforced on the POST /rest/dynamic-node-parameters/options endpoint. No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is low-complexity once authentication is obtained.
A stored cross-site scripting (XSS) vulnerability in n8n workflow automation platform allows authenticated users to craft malicious workflows that execute arbitrary JavaScript in the browsers of higher-privileged users. Affected versions are n8n prior to 1.123.27, 2.13.3, and 2.14.1 (identified via CPE cpe:2.3:a:n8n-io:n8n). An attacker with workflow creation/modification permissions can exploit the `/rest/binary-data` endpoint's failure to properly sanitize HTML responses, enabling credential theft, workflow manipulation, and privilege escalation to administrative access with full same-origin context.
n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allows network-positioned attackers to perform man-in-the-middle attacks against Git operations. Affected users who have explicitly enabled and configured SSH-based source control can have their workflows injected with malicious content or have repository data intercepted without authentication. While the feature is non-default and requires explicit configuration, the vulnerability enables complete compromise of workflow integrity and potential lateral movement within automation pipelines.
This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callback handler that occurs when the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK environment variable is explicitly set to true. An attacker can manipulate the OAuth state parameter verification to trick a victim into completing an OAuth flow that stores the victim's OAuth tokens in an attacker-controlled credential object, allowing the attacker to execute workflows using the victim's delegated permissions. The vulnerability affects n8n versions prior to 2.8.0 and requires non-default configuration to be exploitable, limiting its widespread impact but creating significant risk for affected deployments.
Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP email attribute to match a target account's email address, gaining full access that persists even after reverting the email change. This authentication bypass (CWE-287) affects n8n versions prior to 2.4.0 and 1.121.0 where LDAP is configured, and public exploit code exists. The vulnerability requires LDAP to be actively enabled and the attacker to control their own LDAP email attribute, creating a critical account takeover risk for administrators.
An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit the Merge node's 'Combine by SQL' mode to read arbitrary local files on the n8n host and achieve remote code execution. n8n versions prior to 2.14.1, 2.13.3, and 1.123.26 are affected. The vulnerability carries a CVSS 4.0 score of 9.4 (Critical) due to insufficient sandbox restrictions in the AlaSQL component, allowing SQL injection-style attacks against the host system. No public proof-of-concept or active exploitation (KEV) status has been reported at this time.
n8n is an open source workflow automation platform. [CVSS 5.4 MEDIUM]
Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path through the expression engine. Patch available.
Remote code execution in n8n workflow automation platform allows authenticated users with workflow creation or modification permissions to execute arbitrary shell commands by chaining file write operations with git functions to manipulate configuration files. Versions prior to 2.2.0 and 1.123.8 are affected, and administrators should upgrade immediately or restrict workflow editing permissions to trusted users only.
Authenticated users with workflow modification permissions in n8n versions prior to 2.10.1, 2.9.3, and 1.123.22 can exploit the Merge node's SQL query mode to execute arbitrary code and write files on the server. This high-severity vulnerability (CVSS 8.8) affects the AI/ML and workflow automation platform, allowing attackers with legitimate access to achieve complete system compromise. No patch is currently available, and administrators should restrict workflow permissions or disable the Merge node as temporary mitigations.
Code injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22 allows authenticated users to execute arbitrary code by creating or editing workflows with malicious expressions. Third n8n RCE CVE in this release.
Python sandbox escape in n8n workflow automation before 2.10.1/2.9.3/1.123.22. Users who can modify workflows can escape the Python Code node sandbox for full host compromise on instances using internal Task Runners.
Second-order expression injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22. Crafted workflow data triggers expression evaluation leading to code execution. Patch available.
Improper credential domain validation in n8n's HTTP Request node prior to version 1.121.0 enables authenticated attackers to redirect requests containing credentials to unintended domains, risking credential theft for users with wildcard domain patterns in their allowed domains configuration. The vulnerability requires valid authentication and has a low exploitation probability, with no public exploit currently available.
n8n versions 0.187.0 through 1.120.2 contain a command injection vulnerability in the community package installation feature that allows authenticated administrators to execute arbitrary system commands on the host. The vulnerability requires high privilege access and specific conditions to exploit but carries high risk due to potential complete system compromise. A patch is available in version 1.120.3.
n8n has a protection mechanism bypass (CVSS 9.9) in the Python sandbox allowing authenticated users to escape code execution restrictions.
N8N versions up to 1.118.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
n8n is an open source workflow automation platform. [CVSS 8.1 HIGH]
Stored cross-site scripting in n8n's markdown rendering component allows authenticated users to inject malicious scripts into workflows and sticky notes that execute with session privileges when viewed by other users. An attacker with workflow modification permissions can exploit this to hijack sessions and compromise accounts of users who interact with affected workflows. Versions 1.123.9 and 2.2.1 contain fixes for this vulnerability.
n8n has a command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands through workflow definitions.
n8n has a TOCTOU race condition vulnerability (CVSS 9.9) enabling bypass of execution restrictions in workflow processing.
Improper Content Security Policy enforcement in n8n workflow automation allows authenticated users to inject persistent XSS payloads into webhook responses that execute with same-origin privileges when other users access the affected workflows. An attacker with workflow creation/modification permissions could exploit this to hijack sessions and compromise user accounts. The vulnerability affects n8n versions prior to 1.123.2.
n8n workflow automation platform has an authenticated code execution vulnerability (CVSS 9.9) through improper runtime behavior modification, enabling server takeover.
n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. [CVSS 7.7 HIGH]
n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through crafted workflow expressions.
Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox restrictions and execute arbitrary code on the underlying operating system, with full instance takeover possible in Internal execution mode. Public exploit code exists for this vulnerability, which affects n8n deployments running under Internal execution mode where the Python executor has direct OS access. External execution mode deployments using Docker sidecars have reduced impact as code execution is confined to the container rather than the main node.
n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. [CVSS 5.3 MEDIUM]
n8n versions 0.150.0 through 2.2.1 lack webhook signature verification in the Stripe Trigger node, enabling unauthenticated attackers to forge Stripe events and trigger workflows by sending crafted POST requests to known webhook URLs. Affected users with active Stripe Trigger workflows could experience unauthorized execution of automation logic, potentially allowing attackers to simulate fraudulent payment or subscription events. A patch is available in version 2.2.2 and later.
n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with scope change enabling full compromise of both self-hosted and cloud instances. EPSS 12.5% indicates high exploitation activity. Patch available.
n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical CVSS 10.0 vulnerability enabling remote attackers to read sensitive files from the server, with potential for further compromise. PoC available.
n8n is an open source workflow automation platform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1.95.3, v1.100.1, and v1.101.1 allows attackers to execute arbitrary code via uploading a crafted HTML file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
n8n is a workflow automation platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
n8n is a workflow automation platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
n8n is a workflow automation platform. Prior to version 1.99.1, an authorization vulnerability was discovered in the /rest/executions/:id/stop endpoint of n8n. An authenticated user can stop workflow executions that they do not own or that have not been shared with them, leading to potential business disruption. This issue has been patched in version 1.99.1. A workaround involves restricting access to the /rest/executions/:id/stop endpoint via reverse proxy or API gateway.
n8n is a workflow automation platform. Prior to version 1.99.0, there is a denial of Service vulnerability in /rest/binary-data endpoint when processing empty filesystem URIs (filesystem:// or filesystem-v2://). This allows authenticated attackers to cause service unavailability through malformed filesystem URI requests, effecting the /rest/binary-data endpoint and n8n.cloud instances (confirmed HTTP/2 524 timeout responses). Attackers can exploit this by sending GET requests with empty filesystem URIs (filesystem:// or filesystem-v2://) to the /rest/binary-data endpoint, causing resource exhaustion and service disruption. This issue has been patched in version 1.99.0.
n8n is a workflow automation platform. Versions prior to 1.98.0 have an Open Redirect vulnerability in the login flow. Authenticated users can be redirected to untrusted, attacker-controlled domains after logging in, by crafting malicious URLs with a misleading redirect query parameter. This may lead to phishing attacks by impersonating the n8n UI on lookalike domains (e.g., n8n.local.evil.com), credential or 2FA theft if users are tricked into re-entering sensitive information, and/or reputation risk due to the visual similarity between attacker-controlled domains and trusted ones. The vulnerability affects anyone hosting n8n and exposing the `/signin` endpoint to users. The issue has been patched in version 1.98.0. All users should upgrade to this version or later. The fix introduces strict origin validation for redirect URLs, ensuring only same-origin or relative paths are allowed after login.
n8n is a workflow automation platform. Rated medium severity (CVSS 5.0). This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.