Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/796341?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/796341?format=api", "purl": "pkg:npm/n8n@1.0.4", "type": "npm", "namespace": "", "name": "n8n", "version": "1.0.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.123.33", "latest_non_vulnerable_version": "2.22.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70598?format=api", "vulnerability_id": "VCID-17dc-5ubt-g3e1", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42237", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11412", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42237" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42237", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42237" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx", "reference_id": "GHSA-f3f2-mcxc-pwjx", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx" }, { "reference_url": "https://github.com/advisories/GHSA-hp3c-vfpm-q4f7", "reference_id": "GHSA-hp3c-vfpm-q4f7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hp3c-vfpm-q4f7" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-hp3c-vfpm-q4f7", "reference_id": "GHSA-hp3c-vfpm-q4f7", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T20:17:33Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-hp3c-vfpm-q4f7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373286?format=api", "purl": "pkg:npm/n8n@1.123.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/373288?format=api", "purl": "pkg:npm/n8n@2.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/373287?format=api", "purl": "pkg:npm/n8n@2.18.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1" } ], "aliases": [ "CVE-2026-42237", "GHSA-hp3c-vfpm-q4f7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-17dc-5ubt-g3e1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77657?format=api", "vulnerability_id": "VCID-18zg-q45k-d3f3", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, a flaw in the LDAP node's filter escape logic allowed LDAP metacharacters to pass through unescaped when user-controlled input was interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node's search parameters, an attacker could manipulate the constructed filter to retrieve unintended LDAP records or bypass authentication checks implemented in the workflow. Exploitation requires a specific workflow configuration. The LDAP node must be used with user-controlled input passed via expressions (e.g., from a form or webhook). The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the LDAP node by adding `n8n-nodes-base.ldap` to the `NODES_EXCLUDE` environment variable, and/or avoid passing unvalidated external user input into LDAP node search parameters via expressions. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33751", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05308", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33751" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33751", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33751" }, { "reference_url": "https://github.com/advisories/GHSA-w83q-mcmx-mh42", "reference_id": "GHSA-w83q-mcmx-mh42", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w83q-mcmx-mh42" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-w83q-mcmx-mh42", "reference_id": "GHSA-w83q-mcmx-mh42", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:10:55Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-w83q-mcmx-mh42" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374800?format=api", "purl": "pkg:npm/n8n@1.123.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27" }, { "url": "http://public2.vulnerablecode.io/api/packages/374760?format=api", "purl": "pkg:npm/n8n@2.13.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/374759?format=api", "purl": "pkg:npm/n8n@2.14.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1" } ], "aliases": [ "CVE-2026-33751", "GHSA-w83q-mcmx-mh42" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-18zg-q45k-d3f3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360053?format=api", "vulnerability_id": "VCID-1rt1-y3w9-skc7", "summary": "n8n has XSS in its Credential Management Flow\n## Impact\nAn authenticated user with permission to create and share credentials could craft a malicious OAuth2 credential containing a JavaScript URL in the Authorization URL field. If a victim opened the credential and interacted with the OAuth authorization button, the injected script would execute in their browser session.\n\n## Patches\nThe issue has been fixed in n8n versions 2.8.0 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit credential creation and sharing permissions to fully trusted users only.\n- Restrict access to the n8n instance to trusted users only.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-364x-8g5j-x2pr", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-364x-8g5j-x2pr" }, { "reference_url": "https://github.com/advisories/GHSA-364x-8g5j-x2pr", "reference_id": "GHSA-364x-8g5j-x2pr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-364x-8g5j-x2pr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374624?format=api", "purl": "pkg:npm/n8n@2.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.6.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/39942?format=api", "purl": "pkg:npm/n8n@2.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.8.0" } ], "aliases": [ "GHSA-364x-8g5j-x2pr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1rt1-y3w9-skc7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360207?format=api", "vulnerability_id": "VCID-2kxv-vwc7-3ubf", "summary": "n8n: Authenticated XSS and Open Redirect via Form Node\n## Impact\nAn authenticated user with permission to create or modify workflows could configure a Form Node with an unsanitized HTML description field or exploit an overly permissive iframe sandbox policy to perform stored cross-site scripting or redirect end users visiting the form to an arbitrary external URL. The vulnerability could be used to facilitate phishing attacks.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.24, 2.10.4 and 2.12.0. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Form node by adding `n8n-nodes-base.form` to the `NODES_EXCLUDE` environment variable.\n- Disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-w673-8fjw-457c", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-w673-8fjw-457c" }, { "reference_url": "https://github.com/advisories/GHSA-w673-8fjw-457c", "reference_id": "GHSA-w673-8fjw-457c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w673-8fjw-457c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375283?format=api", "purl": "pkg:npm/n8n@1.123.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.24" }, { "url": "http://public2.vulnerablecode.io/api/packages/375282?format=api", "purl": "pkg:npm/n8n@2.10.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/375281?format=api", "purl": "pkg:npm/n8n@2.12.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.12.0" } ], "aliases": [ "GHSA-w673-8fjw-457c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2kxv-vwc7-3ubf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70609?format=api", "vulnerability_id": "VCID-39dw-4b5k-1bae", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42232", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00223", "scoring_system": "epss", "scoring_elements": "0.45037", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42232" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42232", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42232" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r", "reference_id": "GHSA-hqr4-h3xv-9m3r", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-04T19:41:11Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373286?format=api", "purl": "pkg:npm/n8n@1.123.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/373288?format=api", "purl": "pkg:npm/n8n@2.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/373287?format=api", "purl": "pkg:npm/n8n@2.18.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1" } ], "aliases": [ "CVE-2026-42232", "GHSA-hqr4-h3xv-9m3r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-39dw-4b5k-1bae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93481?format=api", "vulnerability_id": "VCID-3p4c-nkcn-hkey", "summary": "n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE: \"[\\\"n8n-nodes-base.code\\\"]\", disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68668", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10857", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68668" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68668", "reference_id": "CVE-2025-68668", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68668" }, { "reference_url": "https://www.smartkeyss.com/post/cve-2025-68668-breaking-out-of-the-python-sandbox-in-n8n", "reference_id": "CVE-2025-68668-BREAKING-OUT-OF-THE-PYTHON-SANDBOX-IN-N8N", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.smartkeyss.com/post/cve-2025-68668-breaking-out-of-the-python-sandbox-in-n8n" }, { "reference_url": "https://github.com/advisories/GHSA-62r4-hw23-cc8v", "reference_id": "GHSA-62r4-hw23-cc8v", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-62r4-hw23-cc8v" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v", "reference_id": "GHSA-62r4-hw23-cc8v", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-26T21:54:21Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36372?format=api", "purl": "pkg:npm/n8n@2.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s86a-mpj9-dfhg" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0" } ], "aliases": [ "CVE-2025-68668", "GHSA-62r4-hw23-cc8v" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3p4c-nkcn-hkey" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70147?format=api", "vulnerability_id": "VCID-456j-q8xt-57e3", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42233", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19896", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42233" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42233", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42233" }, { "reference_url": "https://github.com/advisories/GHSA-r6jc-mpqw-m755", "reference_id": "GHSA-r6jc-mpqw-m755", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-r6jc-mpqw-m755" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755", "reference_id": "GHSA-r6jc-mpqw-m755", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:08:55Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373286?format=api", "purl": "pkg:npm/n8n@1.123.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/373288?format=api", "purl": "pkg:npm/n8n@2.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/373287?format=api", "purl": "pkg:npm/n8n@2.18.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1" } ], "aliases": [ "CVE-2026-42233", "GHSA-r6jc-mpqw-m755" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-456j-q8xt-57e3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70273?format=api", "vulnerability_id": "VCID-4crt-c14t-53dq", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim's authenticated n8n browser session, enabling credential and session token theft, workflow manipulation, or privilege escalation. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42235", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.29789", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42235" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42235", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42235" }, { "reference_url": "https://github.com/advisories/GHSA-537j-gqpc-p7fq", "reference_id": "GHSA-537j-gqpc-p7fq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-537j-gqpc-p7fq" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq", "reference_id": "GHSA-537j-gqpc-p7fq", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T14:39:57Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373286?format=api", "purl": "pkg:npm/n8n@1.123.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/373288?format=api", "purl": "pkg:npm/n8n@2.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/373287?format=api", "purl": "pkg:npm/n8n@2.18.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1" } ], "aliases": [ "CVE-2026-42235", "GHSA-537j-gqpc-p7fq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4crt-c14t-53dq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74152?format=api", "vulnerability_id": "VCID-5c7w-mba9-mucn", "summary": "n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-21877", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05899", "scoring_system": "epss", "scoring_elements": "0.90808", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-21877" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21877", "reference_id": "CVE-2026-21877", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21877" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6", "reference_id": "f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-08T18:59:03Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6" }, { "reference_url": "https://github.com/advisories/GHSA-v364-rw7m-3263", "reference_id": "GHSA-v364-rw7m-3263", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v364-rw7m-3263" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263", "reference_id": "GHSA-v364-rw7m-3263", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-08T18:59:03Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36555?format=api", "purl": "pkg:npm/n8n@1.121.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.121.3" } ], "aliases": [ "CVE-2026-21877", "GHSA-v364-rw7m-3263" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5c7w-mba9-mucn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77880?format=api", "vulnerability_id": "VCID-5fsf-m3s8-pfg2", "summary": "n8n is an open source workflow automation platform. Prior to versions 2.6.4 and 1.123.23, an authenticated user without permission to list external secrets could reference a secret by the external name in a credential and retrieve its plaintext value when saving the credential. This bypassed the `externalSecret:list` permission check and allowed access to secrets stored in connected vaults without admin or owner privileges. This issue requires the instance to have an external secrets vault configured. The attacker must know or be able to guess the name of a target secret. The issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict n8n access to fully trusted users only, and/or disable external secrets integration until the patch can be applied. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33722", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04474", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33722" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33722", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33722" }, { "reference_url": "https://github.com/advisories/GHSA-fxcw-h3qj-8m8p", "reference_id": "GHSA-fxcw-h3qj-8m8p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fxcw-h3qj-8m8p" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-fxcw-h3qj-8m8p", "reference_id": "GHSA-fxcw-h3qj-8m8p", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-28T01:28:29Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-fxcw-h3qj-8m8p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374623?format=api", "purl": "pkg:npm/n8n@1.123.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/374624?format=api", "purl": "pkg:npm/n8n@2.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.6.4" } ], "aliases": [ "CVE-2026-33722", "GHSA-fxcw-h3qj-8m8p" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5fsf-m3s8-pfg2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65724?format=api", "vulnerability_id": "VCID-5pjr-smm2-pyav", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n's interface, including workflow sticky notes and other areas that support markdown content. An authenticated user with permission to create or modify workflows could abuse this to execute scripts with same-origin privileges when other users interact with a maliciously crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in versions 1.123.9 and 2.2.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25054", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03977", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25054" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25054", "reference_id": "CVE-2026-25054", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25054" }, { "reference_url": "https://github.com/advisories/GHSA-qpq4-pw7f-pp8w", "reference_id": "GHSA-qpq4-pw7f-pp8w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qpq4-pw7f-pp8w" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-qpq4-pw7f-pp8w", "reference_id": "GHSA-qpq4-pw7f-pp8w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:21Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-qpq4-pw7f-pp8w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38752?format=api", "purl": "pkg:npm/n8n@1.123.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/38754?format=api", "purl": "pkg:npm/n8n@2.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s86a-mpj9-dfhg" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.2.1" } ], "aliases": [ "CVE-2026-25054", "GHSA-qpq4-pw7f-pp8w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5pjr-smm2-pyav" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74420?format=api", "vulnerability_id": "VCID-63n8-hy1m-3ke5", "summary": "n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-21893", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0025", "scoring_system": "epss", "scoring_elements": "0.48668", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-21893" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/ae0669a736cc496beeb296e115267862727ae838", "reference_id": "ae0669a736cc496beeb296e115267862727ae838", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T19:33:16Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/ae0669a736cc496beeb296e115267862727ae838" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21893", "reference_id": "CVE-2026-21893", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21893" }, { "reference_url": "https://github.com/advisories/GHSA-7c4h-vh2m-743m", "reference_id": "GHSA-7c4h-vh2m-743m", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7c4h-vh2m-743m" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m", "reference_id": "GHSA-7c4h-vh2m-743m", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T19:33:16Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38719?format=api", "purl": "pkg:npm/n8n@1.120.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-b5ba-g4u9-jkgx" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-d7g4-89n1-y7e7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qkka-4nty-sqh1" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.120.3" } ], "aliases": [ "CVE-2026-21893", "GHSA-7c4h-vh2m-743m" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-63n8-hy1m-3ke5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77730?format=api", "vulnerability_id": "VCID-6pzv-3t6r-akeq", "summary": "n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the XML and the GSuiteAdmin nodes. By supplying a crafted parameters as part of node configuration, an attacker could write attacker-controlled values onto `Object.prototype`. An attacker could use this prototype pollution to achieve remote code execution on the n8n instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33696", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0021", "scoring_system": "epss", "scoring_elements": "0.43526", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33696" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33696", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33696" }, { "reference_url": "https://github.com/advisories/GHSA-mxrg-77hm-89hv", "reference_id": "GHSA-mxrg-77hm-89hv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mxrg-77hm-89hv" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-mxrg-77hm-89hv", "reference_id": "GHSA-mxrg-77hm-89hv", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T20:08:10Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-mxrg-77hm-89hv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374800?format=api", "purl": "pkg:npm/n8n@1.123.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27" }, { "url": "http://public2.vulnerablecode.io/api/packages/374760?format=api", "purl": "pkg:npm/n8n@2.13.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/374759?format=api", "purl": "pkg:npm/n8n@2.14.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1" } ], "aliases": [ "CVE-2026-33696", "GHSA-mxrg-77hm-89hv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6pzv-3t6r-akeq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212672?format=api", "vulnerability_id": "VCID-6xm5-7kq2-xqdm", "summary": "n8n has an Authentication Bypass in its Chat Trigger Node", "references": [ { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/062644ef786b6af480afe4a0f12bc6d70040534a", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/062644ef786b6af480afe4a0f12bc6d70040534a" }, { "reference_url": "https://github.com/advisories/GHSA-jh8h-6c9q-7gmw", "reference_id": "GHSA-jh8h-6c9q-7gmw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jh8h-6c9q-7gmw" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-jh8h-6c9q-7gmw", "reference_id": "GHSA-jh8h-6c9q-7gmw", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-jh8h-6c9q-7gmw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39886?format=api", "purl": "pkg:npm/n8n@1.123.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/39885?format=api", "purl": "pkg:npm/n8n@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/39884?format=api", "purl": "pkg:npm/n8n@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1" } ], "aliases": [ "GHSA-jh8h-6c9q-7gmw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6xm5-7kq2-xqdm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/98223?format=api", "vulnerability_id": "VCID-727u-nmx9-xuf3", "summary": "n8n is a workflow automation platform. Prior to version 1.99.0, there is a denial of Service vulnerability in /rest/binary-data endpoint when processing empty filesystem URIs (filesystem:// or filesystem-v2://). This allows authenticated attackers to cause service unavailability through malformed filesystem URI requests, effecting the /rest/binary-data endpoint and n8n.cloud instances (confirmed HTTP/2 524 timeout responses). Attackers can exploit this by sending GET requests with empty filesystem URIs (filesystem:// or filesystem-v2://) to the /rest/binary-data endpoint, causing resource exhaustion and service disruption. This issue has been patched in version 1.99.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49595", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52985", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49595" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49595", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49595" }, { "reference_url": "https://github.com/n8n-io/n8n/pull/16229", "reference_id": "16229", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T13:10:37Z/" } ], "url": "https://github.com/n8n-io/n8n/pull/16229" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/43c52a8b4f844e91b02e3cc9df92826a2d7b6052", "reference_id": "43c52a8b4f844e91b02e3cc9df92826a2d7b6052", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T13:10:37Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/43c52a8b4f844e91b02e3cc9df92826a2d7b6052" }, { "reference_url": "https://github.com/advisories/GHSA-pr9r-gxgp-9rm8", "reference_id": "GHSA-pr9r-gxgp-9rm8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pr9r-gxgp-9rm8" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-pr9r-gxgp-9rm8", "reference_id": "GHSA-pr9r-gxgp-9rm8", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T13:10:37Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-pr9r-gxgp-9rm8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378487?format=api", "purl": "pkg:npm/n8n@1.99.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5mhm-99u3-ruec" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-63n8-hy1m-3ke5" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-b5ba-g4u9-jkgx" }, { "vulnerability": "VCID-c232-fvfd-3fda" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-d7g4-89n1-y7e7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-et9c-dh4q-3qcy" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-kw94-d9qx-3qf9" }, { "vulnerability": "VCID-nh3d-mzxr-j7dy" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qkka-4nty-sqh1" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s86a-mpj9-dfhg" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-st8g-2xn4-97b9" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-vht4-48cx-c7gu" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" }, { "vulnerability": "VCID-xsuv-1w6k-akeu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.99.0" } ], "aliases": [ "CVE-2025-49595", "GHSA-pr9r-gxgp-9rm8" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-727u-nmx9-xuf3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78102?format=api", "vulnerability_id": "VCID-78yr-xz2p-rkff", "summary": "n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could use the Merge node's \"Combine by SQL\" mode to read local files on the n8n host and achieve remote code execution. The AlaSQL sandbox did not sufficiently restrict certain SQL statements, allowing an attacker to access sensitive files on the server or even compromise the instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.26. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33660", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23658", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33660" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33660", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33660" }, { "reference_url": "https://github.com/advisories/GHSA-58qr-rcgv-642v", "reference_id": "GHSA-58qr-rcgv-642v", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-58qr-rcgv-642v" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v", "reference_id": "GHSA-58qr-rcgv-642v", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-28T01:26:07Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374800?format=api", "purl": "pkg:npm/n8n@1.123.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27" }, { "url": "http://public2.vulnerablecode.io/api/packages/374760?format=api", "purl": "pkg:npm/n8n@2.13.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/374759?format=api", "purl": "pkg:npm/n8n@2.14.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1" } ], "aliases": [ "CVE-2026-33660", "GHSA-58qr-rcgv-642v" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-78yr-xz2p-rkff" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212662?format=api", "vulnerability_id": "VCID-95f5-4xkw-yuae", "summary": "n8n Vulnerable to Stored XSS via Various Nodes", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27578", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09942", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27578" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/062644ef786b6af480afe4a0f12bc6d70040534a", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/062644ef786b6af480afe4a0f12bc6d70040534a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27578", "reference_id": "CVE-2026-27578", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27578" }, { "reference_url": "https://github.com/advisories/GHSA-2p9h-rqjw-gm92", "reference_id": "GHSA-2p9h-rqjw-gm92", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2p9h-rqjw-gm92" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-2p9h-rqjw-gm92", "reference_id": "GHSA-2p9h-rqjw-gm92", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-2p9h-rqjw-gm92" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39886?format=api", "purl": "pkg:npm/n8n@1.123.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/902621?format=api", "purl": "pkg:npm/n8n@2.0.0-rc.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/39885?format=api", "purl": "pkg:npm/n8n@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/39884?format=api", "purl": "pkg:npm/n8n@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1" } ], "aliases": [ "CVE-2026-27578", "GHSA-2p9h-rqjw-gm92" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-95f5-4xkw-yuae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66086?format=api", "vulnerability_id": "VCID-9bcs-wgnz-m3e8", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.18 and 2.5.0, a vulnerability in the file access controls allows authenticated users with permission to create or modify workflows to read sensitive files from the n8n host system. This can be exploited to obtain critical configuration data and user credentials, leading to complete account takeover of any user on the instance. This issue has been patched in versions 1.123.18 and 2.5.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25052", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06479", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25052" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25052", "reference_id": "CVE-2026-25052", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25052" }, { "reference_url": "https://github.com/advisories/GHSA-gfvg-qv54-r4pc", "reference_id": "GHSA-gfvg-qv54-r4pc", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gfvg-qv54-r4pc" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc", "reference_id": "GHSA-gfvg-qv54-r4pc", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:20Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38741?format=api", "purl": "pkg:npm/n8n@1.123.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/38208?format=api", "purl": "pkg:npm/n8n@2.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.0" } ], "aliases": [ "CVE-2026-25052", "GHSA-gfvg-qv54-r4pc" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9bcs-wgnz-m3e8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93416?format=api", "vulnerability_id": "VCID-b5ba-g4u9-jkgx", "summary": "n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68613", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.68312", "scoring_system": "epss", "scoring_elements": "0.98626", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68613" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://www.akamai.com/blog/security-research/2026/feb/zerobot-malware-targets-n8n-automation-platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.akamai.com/blog/security-research/2026/feb/zerobot-malware-targets-n8n-automation-platform" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68613", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68613" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79", "reference_id": "08f332015153decdda3c37ad4fcb9f7ba13a7c79", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-03-11T17:39:59Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/1c933358acef527ff61466e53268b41a04be1000", "reference_id": "1c933358acef527ff61466e53268b41a04be1000", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-03-11T17:39:59Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/1c933358acef527ff61466e53268b41a04be1000" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/39a2d1d60edde89674ca96dcbb3eb076ffff6316", "reference_id": "39a2d1d60edde89674ca96dcbb3eb076ffff6316", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-03-11T17:39:59Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/39a2d1d60edde89674ca96dcbb3eb076ffff6316" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68613", "reference_id": "CVE-2025-68613", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68613" }, { "reference_url": "https://github.com/advisories/GHSA-v98v-ff95-f3cp", "reference_id": "GHSA-v98v-ff95-f3cp", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v98v-ff95-f3cp" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp", "reference_id": "GHSA-v98v-ff95-f3cp", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-03-11T17:39:59Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36334?format=api", "purl": "pkg:npm/n8n@1.120.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-d7g4-89n1-y7e7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qkka-4nty-sqh1" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.120.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/36332?format=api", "purl": "pkg:npm/n8n@1.121.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.121.1" } ], "aliases": [ "CVE-2025-68613", "GHSA-v98v-ff95-f3cp" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b5ba-g4u9-jkgx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91181?format=api", "vulnerability_id": "VCID-c232-fvfd-3fda", "summary": "n8n is an open source workflow automation platform. Versions 0.123.1 through 1.119.1 do not have adequate protections to prevent RCE through the project's pre-commit hooks. The Add Config operation allows workflows to set arbitrary Git configuration values, including core.hooksPath, which can point to a malicious Git hook that executes arbitrary commands on the n8n host during subsequent Git operations. Exploitation requires the ability to create or modify an n8n workflow using the Git node. This issue is fixed in version 1.119.2. Workarounds include excluding the Git Node (Docs) and avoiding cloning or interacting with untrusted repositories using the Git Node.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65964", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.1024", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65964" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65964", "reference_id": "CVE-2025-65964", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65964" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/d5a1171f95f75def5c3ac577707ab913e22aef04", "reference_id": "d5a1171f95f75def5c3ac577707ab913e22aef04", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-09T14:18:38Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/d5a1171f95f75def5c3ac577707ab913e22aef04" }, { "reference_url": "https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes", "reference_id": "#exclude-nodes", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-09T14:18:38Z/" } ], "url": "https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes" }, { "reference_url": "https://github.com/advisories/GHSA-wpqc-h9wp-chmq", "reference_id": "GHSA-wpqc-h9wp-chmq", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wpqc-h9wp-chmq" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq", "reference_id": "GHSA-wpqc-h9wp-chmq", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-09T14:18:38Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n%401.119.2", "reference_id": "n8n%401.119.2", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-09T14:18:38Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n%401.119.2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35913?format=api", "purl": "pkg:npm/n8n@1.119.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-63n8-hy1m-3ke5" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-b5ba-g4u9-jkgx" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-d7g4-89n1-y7e7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qkka-4nty-sqh1" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.119.2" } ], "aliases": [ "CVE-2025-65964", "GHSA-wpqc-h9wp-chmq" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c232-fvfd-3fda" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65612?format=api", "vulnerability_id": "VCID-c4s3-zx71-c7h3", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.10 and 2.5.0, vulnerabilities in the Git node allowed authenticated users with permission to create or modify workflows to execute arbitrary system commands or read arbitrary files on the n8n host. This issue has been patched in versions 1.123.10 and 2.5.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25053", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09532", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25053" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25053", "reference_id": "CVE-2026-25053", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25053" }, { "reference_url": "https://github.com/advisories/GHSA-9g95-qf3f-ggrw", "reference_id": "GHSA-9g95-qf3f-ggrw", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9g95-qf3f-ggrw" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-9g95-qf3f-ggrw", "reference_id": "GHSA-9g95-qf3f-ggrw", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:18Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-9g95-qf3f-ggrw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38744?format=api", "purl": "pkg:npm/n8n@1.123.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/38208?format=api", "purl": "pkg:npm/n8n@2.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.0" } ], "aliases": [ "CVE-2026-25053", "GHSA-9g95-qf3f-ggrw" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c4s3-zx71-c7h3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77941?format=api", "vulnerability_id": "VCID-camv-m2tf-qkac", "summary": "n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with the `global:member` role could exploit chained authorization flaws in n8n's credential pipeline to steal plaintext secrets from generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) belonging to other users on the same instance. The attack abuses a name-based credential resolution path that does not enforce ownership or project scope, combined with a bypass in the credentials permission checker that causes generic HTTP credential types to be skipped during pre-execution validation. Together, these flaws allow a member-role user to resolve another user's credential ID and execute a workflow that decrypts and uses that credential without authorization. Native integration credential types (e.g. `slackApi`, `openAiApi`, `postgres`) are not affected by this issue. This vulnerability affects Community Edition only. Enterprise Edition has additional permission gates on workflow creation and execution that independently block this attack chain. The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict instance access to fully trusted users only, and/or audit credentials stored on the instance and rotate any generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) that may have been exposed. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33663", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06425", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33663" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33663", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33663" }, { "reference_url": "https://github.com/advisories/GHSA-m63j-689w-3j35", "reference_id": "GHSA-m63j-689w-3j35", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m63j-689w-3j35" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35", "reference_id": "GHSA-m63j-689w-3j35", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T17:51:35Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374800?format=api", "purl": "pkg:npm/n8n@1.123.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27" }, { "url": "http://public2.vulnerablecode.io/api/packages/374760?format=api", "purl": "pkg:npm/n8n@2.13.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/374759?format=api", "purl": "pkg:npm/n8n@2.14.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1" } ], "aliases": [ "CVE-2026-33663", "GHSA-m63j-689w-3j35" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-camv-m2tf-qkac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78399?format=api", "vulnerability_id": "VCID-cxss-9g41-gfb7", "summary": "n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime.\n\nAn authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1470", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02265", "scoring_system": "epss", "scoring_elements": "0.84993", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1470" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/25c4b9605b420a98d0185a4f01115122a5134d8f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/25c4b9605b420a98d0185a4f01115122a5134d8f" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/30383d86139f3279a698df8d229eadfefe8627f4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/30383d86139f3279a698df8d229eadfefe8627f4" }, { "reference_url": "https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04", "reference_id": "aa4d1e5825829182afa0ad5b81f602638f55fa04", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-27T14:35:25Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1470", "reference_id": "CVE-2026-1470", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1470" }, { "reference_url": "https://github.com/advisories/GHSA-5xrp-6693-jjx9", "reference_id": "GHSA-5xrp-6693-jjx9", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5xrp-6693-jjx9" }, { "reference_url": "https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/", "reference_id": "n8n-expression-node-rce", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-27T14:35:25Z/" } ], "url": "https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38205?format=api", "purl": "pkg:npm/n8n@1.123.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/38207?format=api", "purl": "pkg:npm/n8n@2.4.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/38209?format=api", "purl": "pkg:npm/n8n@2.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.1" } ], "aliases": [ "CVE-2026-1470", "GHSA-5xrp-6693-jjx9" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cxss-9g41-gfb7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66132?format=api", "vulnerability_id": "VCID-cy8m-aw8f-zkfx", "summary": "n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when other users interact with the crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in version 1.123.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25051", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03978", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25051" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/ced34c0f93ab4c759a56065965986094d8ef7323", "reference_id": "ced34c0f93ab4c759a56065965986094d8ef7323", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:22Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/ced34c0f93ab4c759a56065965986094d8ef7323" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25051", "reference_id": "CVE-2026-25051", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25051" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/e8cf4d6bb3af94dc296cbb67bc3dd20e9b508ac9", "reference_id": "e8cf4d6bb3af94dc296cbb67bc3dd20e9b508ac9", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:22Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/e8cf4d6bb3af94dc296cbb67bc3dd20e9b508ac9" }, { "reference_url": "https://github.com/advisories/GHSA-825q-w924-xhgx", "reference_id": "GHSA-825q-w924-xhgx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-825q-w924-xhgx" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-825q-w924-xhgx", "reference_id": "GHSA-825q-w924-xhgx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:22Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-825q-w924-xhgx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38738?format=api", "purl": "pkg:npm/n8n@1.122.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.122.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/38734?format=api", "purl": "pkg:npm/n8n@1.123.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.2" } ], "aliases": [ "CVE-2026-25051", "GHSA-825q-w924-xhgx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cy8m-aw8f-zkfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212674?format=api", "vulnerability_id": "VCID-cyxm-4jde-myc1", "summary": "n8n has a Guardrail Node Bypass", "references": [ { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/8d0251d1deef256fd3d9176f05dedab62afde918", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/8d0251d1deef256fd3d9176f05dedab62afde918" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.0" }, { "reference_url": "https://github.com/advisories/GHSA-fvfv-ppw4-7h2w", "reference_id": "GHSA-fvfv-ppw4-7h2w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fvfv-ppw4-7h2w" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-fvfv-ppw4-7h2w", "reference_id": "GHSA-fvfv-ppw4-7h2w", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-fvfv-ppw4-7h2w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39883?format=api", "purl": "pkg:npm/n8n@2.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.0" } ], "aliases": [ "GHSA-fvfv-ppw4-7h2w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cyxm-4jde-myc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212675?format=api", "vulnerability_id": "VCID-d1rq-nmws-w3fy", "summary": "n8n has Webhook Forgery on Zendesk Trigger Node", "references": [ { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/3839e310bd4c3002c646c363d1411916fa195151", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/3839e310bd4c3002c646c363d1411916fa195151" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/c6520e4e87614fa60c9433e93019e211f19f65f9", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/c6520e4e87614fa60c9433e93019e211f19f65f9" }, { "reference_url": "https://github.com/advisories/GHSA-38c7-23hj-2wgq", "reference_id": "GHSA-38c7-23hj-2wgq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-38c7-23hj-2wgq" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-38c7-23hj-2wgq", "reference_id": "GHSA-38c7-23hj-2wgq", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-38c7-23hj-2wgq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38741?format=api", "purl": "pkg:npm/n8n@1.123.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/39943?format=api", "purl": "pkg:npm/n8n@2.6.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.6.2" } ], "aliases": [ "GHSA-38c7-23hj-2wgq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d1rq-nmws-w3fy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77749?format=api", "vulnerability_id": "VCID-d5bn-f87r-vka1", "summary": "n8n is an open source workflow automation platform. Prior to version 2.8.0, when the `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK` environment variable is set to `true`, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an OAuth flow against a credential object the attacker controls, causing the victim's OAuth tokens to be stored in the attacker's credential. The attacker can then use those tokens to execute workflows in their name. This issue only affects instances where `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` is explicitly configured (non-default). The issue has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Avoid enabling `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` unless strictly required, and/ or restrict access to the n8n instance to fully trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33720", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02867", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33720" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33720", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33720" }, { "reference_url": "https://github.com/advisories/GHSA-vpgc-2f6g-7w7x", "reference_id": "GHSA-vpgc-2f6g-7w7x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vpgc-2f6g-7w7x" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-vpgc-2f6g-7w7x", "reference_id": "GHSA-vpgc-2f6g-7w7x", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:07:38Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-vpgc-2f6g-7w7x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39942?format=api", "purl": "pkg:npm/n8n@2.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.8.0" } ], "aliases": [ "CVE-2026-33720", "GHSA-vpgc-2f6g-7w7x" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d5bn-f87r-vka1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66101?format=api", "vulnerability_id": "VCID-d5s2-xbfd-ukg7", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25049", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.16895", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25049" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d", "reference_id": "7860896909b3d42993a36297f053d2b0e633235d", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:21Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b", "reference_id": "936c06cfc1ad269a89e8ef7f8ac79c104436d54b", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:21Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25049", "reference_id": "CVE-2026-25049", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25049" }, { "reference_url": "https://github.com/advisories/GHSA-6cqr-8cfr-67f8", "reference_id": "GHSA-6cqr-8cfr-67f8", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6cqr-8cfr-67f8" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8", "reference_id": "GHSA-6cqr-8cfr-67f8", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:21Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38205?format=api", "purl": "pkg:npm/n8n@1.123.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/38728?format=api", "purl": "pkg:npm/n8n@2.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.2" } ], "aliases": [ "CVE-2026-25049", "GHSA-6cqr-8cfr-67f8" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d5s2-xbfd-ukg7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78047?format=api", "vulnerability_id": "VCID-d763-b5fk-g3dm", "summary": "n8n is an open source workflow automation platform. Prior to version 2.5.0, when the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the n8n instance and the remote Git server could intercept the connection and present a fraudulent host key, potentially injecting malicious content into workflows or intercepting repository data. This issue only affects instances where the Source Control feature has been explicitly enabled and configured to use SSH (non-default). The issue has been fixed in n8n version 2.5.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable the Source Control feature if it is not actively required, and/or restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33724", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04367", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33724" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33724", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33724" }, { "reference_url": "https://github.com/advisories/GHSA-43v7-fp2v-68f6", "reference_id": "GHSA-43v7-fp2v-68f6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-43v7-fp2v-68f6" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-43v7-fp2v-68f6", "reference_id": "GHSA-43v7-fp2v-68f6", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:05:11Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-43v7-fp2v-68f6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38208?format=api", "purl": "pkg:npm/n8n@2.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.0" } ], "aliases": [ "CVE-2026-33724", "GHSA-43v7-fp2v-68f6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d763-b5fk-g3dm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66155?format=api", "vulnerability_id": "VCID-d7g4-89n1-y7e7", "summary": "n8n is an open source workflow automation platform. Prior to 1.121.0, there is a vulnerability in the HTTP Request node's credential domain validation allowed an authenticated attacker to send requests with credentials to unintended domains, potentially leading to credential exfiltration. This only might affect user who have credentials that use wildcard domain patterns (e.g., *.example.com) in the \"Allowed domains\" setting. This issue is fixed in version 1.121.0 and later.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25631", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07508", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25631" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25631", "reference_id": "CVE-2026-25631", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25631" }, { "reference_url": "https://github.com/advisories/GHSA-2xcx-75h9-vr9h", "reference_id": "GHSA-2xcx-75h9-vr9h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2xcx-75h9-vr9h" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-2xcx-75h9-vr9h", "reference_id": "GHSA-2xcx-75h9-vr9h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-06T21:06:21Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-2xcx-75h9-vr9h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36331?format=api", "purl": "pkg:npm/n8n@1.121.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-b5ba-g4u9-jkgx" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.121.0" } ], "aliases": [ "CVE-2026-25631", "GHSA-2xcx-75h9-vr9h" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d7g4-89n1-y7e7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80280?format=api", "vulnerability_id": "VCID-dm6y-ymh9-u3cm", "summary": "n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27577", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00175", "scoring_system": "epss", "scoring_elements": "0.38836", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27577" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/1479aab2d32fe0ee087f82b9038b1035c98be2f6", "reference_id": "1479aab2d32fe0ee087f82b9038b1035c98be2f6", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/1479aab2d32fe0ee087f82b9038b1035c98be2f6" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/9e5212ecbc5d2d4e6f340b636a5e84be6369882e", "reference_id": "9e5212ecbc5d2d4e6f340b636a5e84be6369882e", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/9e5212ecbc5d2d4e6f340b636a5e84be6369882e" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27577", "reference_id": "CVE-2026-27577", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27577" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp", "reference_id": "GHSA-v98v-ff95-f3cp", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp" }, { "reference_url": "https://github.com/advisories/GHSA-vpcf-gvg4-6qwr", "reference_id": "GHSA-vpcf-gvg4-6qwr", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vpcf-gvg4-6qwr" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr", "reference_id": "GHSA-vpcf-gvg4-6qwr", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr" }, { "reference_url": "https://docs.n8n.io/hosting/securing/overview", "reference_id": "overview", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/" } ], "url": "https://docs.n8n.io/hosting/securing/overview" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39886?format=api", "purl": "pkg:npm/n8n@1.123.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/902621?format=api", "purl": "pkg:npm/n8n@2.0.0-rc.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/39885?format=api", "purl": "pkg:npm/n8n@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/39884?format=api", "purl": "pkg:npm/n8n@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1" } ], "aliases": [ "CVE-2026-27577", "GHSA-vpcf-gvg4-6qwr" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dm6y-ymh9-u3cm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/121282?format=api", "vulnerability_id": "VCID-et9c-dh4q-3qcy", "summary": "n8n is a workflow automation platform. Before 1.106.0, a symlink traversal vulnerability was discovered in the Read/Write File node in n8n. While the node attempts to restrict access to sensitive directories and files, it does not properly account for symbolic links (symlinks). An attacker with the ability to create symlinks—such as by using the Execute Command node—could exploit this to bypass the intended directory restrictions and read from or write to otherwise inaccessible paths. Users of n8n.cloud are not impacted. Affected users should update to version 1.106.0 or later.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57749", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00177", "scoring_system": "epss", "scoring_elements": "0.39097", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57749" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/c2c3e08cdf33570d9051e659812cbfbdd3c077fd", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/c2c3e08cdf33570d9051e659812cbfbdd3c077fd" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57749", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57749" }, { "reference_url": "https://github.com/n8n-io/n8n/pull/17735", "reference_id": "17735", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-21T14:43:03Z/" } ], "url": "https://github.com/n8n-io/n8n/pull/17735" }, { "reference_url": "https://github.com/advisories/GHSA-ggjm-f3g4-rwmm", "reference_id": "GHSA-ggjm-f3g4-rwmm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-ggjm-f3g4-rwmm" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-ggjm-f3g4-rwmm", "reference_id": "GHSA-ggjm-f3g4-rwmm", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-21T14:43:03Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-ggjm-f3g4-rwmm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377724?format=api", "purl": "pkg:npm/n8n@1.106.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5mhm-99u3-ruec" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-63n8-hy1m-3ke5" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-b5ba-g4u9-jkgx" }, { "vulnerability": "VCID-c232-fvfd-3fda" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-d7g4-89n1-y7e7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-kw94-d9qx-3qf9" }, { "vulnerability": "VCID-nh3d-mzxr-j7dy" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qkka-4nty-sqh1" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s86a-mpj9-dfhg" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-st8g-2xn4-97b9" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" }, { "vulnerability": "VCID-xsuv-1w6k-akeu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.106.0" } ], "aliases": [ "CVE-2025-57749", "GHSA-ggjm-f3g4-rwmm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-et9c-dh4q-3qcy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78072?format=api", "vulnerability_id": "VCID-f8r2-7ab1-w3d8", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, an authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The `/rest/binary-data` endpoint served such responses inline on the n8n origin without `Content-Disposition` or `Content-Security-Policy` headers, allowing the HTML to render in the browser with full same-origin JavaScript access. By sending the resulting URL to a higher-privileged user, an attacker could execute JavaScript in the victim's authenticated session, enabling exfiltration of workflows and credentials, modification of workflows, or privilege escalation to admin. The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or restrict network access to the n8n instance to prevent untrusted users from accessing binary data URLs. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33749", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15914", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33749" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33749", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33749" }, { "reference_url": "https://github.com/advisories/GHSA-qfc3-hm4j-7q77", "reference_id": "GHSA-qfc3-hm4j-7q77", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qfc3-hm4j-7q77" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-qfc3-hm4j-7q77", "reference_id": "GHSA-qfc3-hm4j-7q77", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:07:00Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-qfc3-hm4j-7q77" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374800?format=api", "purl": "pkg:npm/n8n@1.123.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27" }, { "url": "http://public2.vulnerablecode.io/api/packages/374760?format=api", "purl": "pkg:npm/n8n@2.13.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/374759?format=api", "purl": "pkg:npm/n8n@2.14.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1" } ], "aliases": [ "CVE-2026-33749", "GHSA-qfc3-hm4j-7q77" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f8r2-7ab1-w3d8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80256?format=api", "vulnerability_id": "VCID-fuvy-21q8-fyhh", "summary": "n8n is an open source workflow automation platform. Prior to versions 2.2.0 and 1.123.8, an authenticated user with permission to create or modify workflows could chain the Read/Write Files from Disk node with git operations to achieve remote code execution. By writing to specific configuration files and then triggering a git operation, the attacker could execute arbitrary shell commands on the n8n host. The issue has been fixed in n8n versions 2.2.0 and 1.123.8. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Read/Write Files from Disk node by adding `n8n-nodes-base.readWriteFile` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27498", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00594", "scoring_system": "epss", "scoring_elements": "0.69759", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27498" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/97365caf253978ba8e46d7bc53fa7ac3b6f67b32", "reference_id": "97365caf253978ba8e46d7bc53fa7ac3b6f67b32", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "9.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/97365caf253978ba8e46d7bc53fa7ac3b6f67b32" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27498", "reference_id": "CVE-2026-27498", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27498" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/e22acaab3dcb2004e5fe0bf9ef2db975bde61866", "reference_id": "e22acaab3dcb2004e5fe0bf9ef2db975bde61866", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "9.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/e22acaab3dcb2004e5fe0bf9ef2db975bde61866" }, { "reference_url": "https://github.com/advisories/GHSA-x2mw-7j39-93xq", "reference_id": "GHSA-x2mw-7j39-93xq", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x2mw-7j39-93xq" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-x2mw-7j39-93xq", "reference_id": "GHSA-x2mw-7j39-93xq", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "9.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-x2mw-7j39-93xq" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.8", "reference_id": "n8n@1.123.8", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "9.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.8" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.2.0", "reference_id": "n8n@2.2.0", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "9.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.2.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39887?format=api", "purl": "pkg:npm/n8n@1.123.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/37601?format=api", "purl": "pkg:npm/n8n@2.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s86a-mpj9-dfhg" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.2.0" } ], "aliases": [ "CVE-2026-27498", "GHSA-x2mw-7j39-93xq" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fuvy-21q8-fyhh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80123?format=api", "vulnerability_id": "VCID-g3sy-n7qb-kqat", "summary": "n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, a second-order expression injection vulnerability existed in n8n's Form nodes that could allow an unauthenticated attacker to inject and evaluate arbitrary n8n expressions by submitting crafted form data. When chained with an expression sandbox escape, this could escalate to remote code execution on the n8n host. The vulnerability requires a specific workflow configuration to be exploitable. First, a form node with a field interpolating a value provided by an unauthenticated user, e.g. a form submitted value. Second, the field value must begin with an `=` character, which caused n8n to treat it as an expression and triggered a double-evaluation of the field content. There is no practical reason for a workflow designer to prefix a field with `=` intentionally — the character is not rendered in the output, so the result would not match the designer's expectations. If added accidentally, it would be noticeable and very unlikely to persist. An unauthenticated attacker would need to either know about this specific circumstance on a target instance or discover a matching form by chance. Even when the preconditions are met, the expression injection alone is limited to data accessible within the n8n expression context. Escalation to remote code execution requires chaining with a separate sandbox escape vulnerability. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Review usage of form nodes manually for above mentioned preconditions, disable the Form node by adding `n8n-nodes-base.form` to the `NODES_EXCLUDE` environment variable, and/or disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27493", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50406", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27493" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/issues/19", "reference_id": "19", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/" } ], "url": "https://github.com/n8n-io/n8n/issues/19" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/562d867483e871b0f1e31776252e23bd721df75b", "reference_id": "562d867483e871b0f1e31776252e23bd721df75b", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/562d867483e871b0f1e31776252e23bd721df75b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27493", "reference_id": "CVE-2026-27493", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27493" }, { "reference_url": "https://github.com/advisories/GHSA-75g8-rv7v-32f7", "reference_id": "GHSA-75g8-rv7v-32f7", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-75g8-rv7v-32f7" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-75g8-rv7v-32f7", "reference_id": "GHSA-75g8-rv7v-32f7", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-75g8-rv7v-32f7" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22", "reference_id": "n8n@1.123.22", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1", "reference_id": "n8n@2.10.1", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3", "reference_id": "n8n@2.9.3", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39886?format=api", "purl": "pkg:npm/n8n@1.123.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/902621?format=api", "purl": "pkg:npm/n8n@2.0.0-rc.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/39885?format=api", "purl": "pkg:npm/n8n@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/39884?format=api", "purl": "pkg:npm/n8n@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1" } ], "aliases": [ "CVE-2026-27493", "GHSA-75g8-rv7v-32f7" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g3sy-n7qb-kqat" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70447?format=api", "vulnerability_id": "VCID-krxn-r6bc-cffu", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the MCP OAuth client registration endpoint accepted unauthenticated requests and stored client data without adequate resource controls. An unauthenticated remote attacker could exhaust server memory resources by sending large registration payloads, rendering the n8n instance unavailable. The MCP enable/disable toggle gates MCP access but did not restrict client registrations, meaning the endpoint is reachable regardless of whether MCP access is enabled on the instance. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42236", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37306", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42236" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42236", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42236" }, { "reference_url": "https://github.com/advisories/GHSA-49m9-pgww-9vq6", "reference_id": "GHSA-49m9-pgww-9vq6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-49m9-pgww-9vq6" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-49m9-pgww-9vq6", "reference_id": "GHSA-49m9-pgww-9vq6", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:59:10Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-49m9-pgww-9vq6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373286?format=api", "purl": "pkg:npm/n8n@1.123.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/373288?format=api", "purl": "pkg:npm/n8n@2.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/373287?format=api", "purl": "pkg:npm/n8n@2.18.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1" } ], "aliases": [ "CVE-2026-42236", "GHSA-49m9-pgww-9vq6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-krxn-r6bc-cffu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65748?format=api", "vulnerability_id": "VCID-ktyh-c1au-6yc7", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25055", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00179", "scoring_system": "epss", "scoring_elements": "0.39362", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25055" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/528ad6b982d0519ec170e172f57b7fdbbe175230", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/528ad6b982d0519ec170e172f57b7fdbbe175230" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/e0baf48c6a54808f6dbca8cb352bfa306092c223", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/e0baf48c6a54808f6dbca8cb352bfa306092c223" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25055", "reference_id": "CVE-2026-25055", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25055" }, { "reference_url": "https://github.com/advisories/GHSA-m82q-59gv-mcr9", "reference_id": "GHSA-m82q-59gv-mcr9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m82q-59gv-mcr9" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9", "reference_id": "GHSA-m82q-59gv-mcr9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:20Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38757?format=api", "purl": "pkg:npm/n8n@1.123.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/38755?format=api", "purl": "pkg:npm/n8n@2.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.0" } ], "aliases": [ "CVE-2026-25055", "GHSA-m82q-59gv-mcr9" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ktyh-c1au-6yc7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/102286?format=api", "vulnerability_id": "VCID-kw94-d9qx-3qf9", "summary": "n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution. This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. This vulnerability is fixed in 1.113.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62726", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0022", "scoring_system": "epss", "scoring_elements": "0.44785", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62726" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/pull/19559", "reference_id": "19559", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-31T18:19:00Z/" } ], "url": "https://github.com/n8n-io/n8n/pull/19559" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/5bf3db5ba84d3195bbe11bbd3c62f7086e090997", "reference_id": "5bf3db5ba84d3195bbe11bbd3c62f7086e090997", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-31T18:19:00Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/5bf3db5ba84d3195bbe11bbd3c62f7086e090997" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62726", "reference_id": "CVE-2025-62726", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62726" }, { "reference_url": "https://github.com/advisories/GHSA-xgp7-7qjq-vg47", "reference_id": "GHSA-xgp7-7qjq-vg47", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xgp7-7qjq-vg47" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-xgp7-7qjq-vg47", "reference_id": "GHSA-xgp7-7qjq-vg47", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-31T18:19:00Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-xgp7-7qjq-vg47" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34928?format=api", "purl": "pkg:npm/n8n@1.113.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5mhm-99u3-ruec" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-63n8-hy1m-3ke5" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-b5ba-g4u9-jkgx" }, { "vulnerability": "VCID-c232-fvfd-3fda" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-d7g4-89n1-y7e7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nh3d-mzxr-j7dy" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qkka-4nty-sqh1" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s86a-mpj9-dfhg" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-st8g-2xn4-97b9" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.113.0" } ], "aliases": [ "CVE-2025-62726", "GHSA-xgp7-7qjq-vg47" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kw94-d9qx-3qf9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/127969?format=api", "vulnerability_id": "VCID-nh3d-mzxr-j7dy", "summary": "n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced in version 1.103.0. This behavior can enable a malicious actor with workflow creation permissions to execute arbitrary JavaScript in the context of the n8n editor interface. This issue has been patched in version 1.114.0. Workarounds for this issue involve restricting workflow creation and modification privileges to trusted users only, avoiding use of untrusted HTML responses in the “Respond to Webhook” node, and using an external reverse proxy or HTML sanitizer to filter responses that include executable scripts.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61914", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00703", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61914" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61914", "reference_id": "CVE-2025-61914", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61914" }, { "reference_url": "https://github.com/advisories/GHSA-58jc-rcg5-95f3", "reference_id": "GHSA-58jc-rcg5-95f3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-58jc-rcg5-95f3" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-58jc-rcg5-95f3", "reference_id": "GHSA-58jc-rcg5-95f3", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-26T21:54:28Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-58jc-rcg5-95f3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36368?format=api", "purl": "pkg:npm/n8n@1.114.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5mhm-99u3-ruec" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-63n8-hy1m-3ke5" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-b5ba-g4u9-jkgx" }, { "vulnerability": "VCID-c232-fvfd-3fda" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-d7g4-89n1-y7e7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qkka-4nty-sqh1" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s86a-mpj9-dfhg" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-st8g-2xn4-97b9" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.114.0" } ], "aliases": [ "CVE-2025-61914", "GHSA-58jc-rcg5-95f3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nh3d-mzxr-j7dy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70296?format=api", "vulnerability_id": "VCID-nhbw-hcq1-b3em", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller. If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately. This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42227", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11812", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42227" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42227", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42227" }, { "reference_url": "https://github.com/advisories/GHSA-756q-gq9h-fp22", "reference_id": "GHSA-756q-gq9h-fp22", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-756q-gq9h-fp22" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-756q-gq9h-fp22", "reference_id": "GHSA-756q-gq9h-fp22", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:08:26Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-756q-gq9h-fp22" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373286?format=api", "purl": "pkg:npm/n8n@1.123.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/373288?format=api", "purl": "pkg:npm/n8n@2.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/373287?format=api", "purl": "pkg:npm/n8n@2.18.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1" } ], "aliases": [ "CVE-2026-42227", "GHSA-756q-gq9h-fp22" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nhbw-hcq1-b3em" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70393?format=api", "vulnerability_id": "VCID-nva1-tjfr-ckb5", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /chat WebSocket endpoint used by the Chat Trigger node's Hosted Chat feature did not verify that an incoming connection was authorized to interact with the target execution. An unauthenticated remote attacker who could identify a valid execution ID for a workflow in a waiting state could attach to that execution, receive the pending prompt intended for the legitimate user, and submit arbitrary input to resume or influence downstream workflow behavior. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42228", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25477", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42228" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42228", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42228" }, { "reference_url": "https://github.com/advisories/GHSA-f77h-j2v7-g6mw", "reference_id": "GHSA-f77h-j2v7-g6mw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f77h-j2v7-g6mw" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-f77h-j2v7-g6mw", "reference_id": "GHSA-f77h-j2v7-g6mw", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T13:47:46Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-f77h-j2v7-g6mw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373286?format=api", "purl": "pkg:npm/n8n@1.123.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/373288?format=api", "purl": "pkg:npm/n8n@2.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/373287?format=api", "purl": "pkg:npm/n8n@2.18.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1" } ], "aliases": [ "CVE-2026-42228", "GHSA-f77h-j2v7-g6mw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nva1-tjfr-ckb5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/79889?format=api", "vulnerability_id": "VCID-p2w8-9t9n-7baw", "summary": "n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could exploit a vulnerability in the JavaScript Task Runner sandbox to execute arbitrary code outside the sandbox boundary. On instances using internal Task Runners (default runner mode), this could result in full compromise of the n8n host. On instances using external Task Runners, the attacker might gain access to or impact other task executed on the Task Runner. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or use external runner mode (`N8N_RUNNERS_MODE=external`) to limit the blast radius. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27495", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.27879", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27495" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27495", "reference_id": "CVE-2026-27495", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27495" }, { "reference_url": "https://github.com/advisories/GHSA-jjpj-p2wh-qf23", "reference_id": "GHSA-jjpj-p2wh-qf23", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jjpj-p2wh-qf23" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23", "reference_id": "GHSA-jjpj-p2wh-qf23", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22", "reference_id": "n8n@1.123.22", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1", "reference_id": "n8n@2.10.1", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3", "reference_id": "n8n@2.9.3", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3" }, { "reference_url": "https://docs.n8n.io/hosting/configuration/task-runners", "reference_id": "task-runners", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/" } ], "url": "https://docs.n8n.io/hosting/configuration/task-runners" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39886?format=api", "purl": "pkg:npm/n8n@1.123.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/902621?format=api", "purl": "pkg:npm/n8n@2.0.0-rc.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/39885?format=api", "purl": "pkg:npm/n8n@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/39884?format=api", "purl": "pkg:npm/n8n@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1" } ], "aliases": [ "CVE-2026-27495", "GHSA-jjpj-p2wh-qf23" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p2w8-9t9n-7baw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/79999?format=api", "vulnerability_id": "VCID-qrf6-n324-ybbj", "summary": "n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the n8n server. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27497", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00076", "scoring_system": "epss", "scoring_elements": "0.22844", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27497" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27497", "reference_id": "CVE-2026-27497", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27497" }, { "reference_url": "https://github.com/advisories/GHSA-wxx7-mcgf-j869", "reference_id": "GHSA-wxx7-mcgf-j869", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wxx7-mcgf-j869" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869", "reference_id": "GHSA-wxx7-mcgf-j869", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T19:35:17Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22", "reference_id": "n8n@1.123.22", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T19:35:17Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1", "reference_id": "n8n@2.10.1", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T19:35:17Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3", "reference_id": "n8n@2.9.3", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T19:35:17Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39886?format=api", "purl": "pkg:npm/n8n@1.123.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/902621?format=api", "purl": "pkg:npm/n8n@2.0.0-rc.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/39885?format=api", "purl": "pkg:npm/n8n@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/39884?format=api", "purl": "pkg:npm/n8n@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1" } ], "aliases": [ "CVE-2026-27497", "GHSA-wxx7-mcgf-j869" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qrf6-n324-ybbj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360046?format=api", "vulnerability_id": "VCID-r89t-ywcr-kbev", "summary": "n8n has a Stored XSS Vulnerability in its Form Trigger\n## Impact\nAn authenticated user with permission to create or modify workflows could exploit a flaw in the Form Trigger node's CSS sanitization to store a cross-site scripting (XSS) payload. The injected script executes persistently for every visitor of the published form, enabling form submission hijacking and phishing. The existing Content Security Policy prevents direct n8n session cookie theft but does not prevent script execution or form action manipulation.\n\n## Patches\nThe issue has been fixed in n8n versions 2.12.0, 2.11.2, and 1.123.25. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-q4fm-pjq6-m63g", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-q4fm-pjq6-m63g" }, { "reference_url": "https://github.com/advisories/GHSA-q4fm-pjq6-m63g", "reference_id": "GHSA-q4fm-pjq6-m63g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q4fm-pjq6-m63g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374746?format=api", "purl": "pkg:npm/n8n@1.123.25", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.25" }, { "url": "http://public2.vulnerablecode.io/api/packages/374745?format=api", "purl": "pkg:npm/n8n@2.11.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.11.2" } ], "aliases": [ "GHSA-q4fm-pjq6-m63g" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r89t-ywcr-kbev" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80281?format=api", "vulnerability_id": "VCID-ra9y-br8w-k7au", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.22, 2.9.3, and 2.10.1, an authenticated user with permission to create or modify workflows could use the JavaScript Task Runner to allocate uninitialized memory buffers. Uninitialized buffers may contain residual data from the same Node.js process — including data from prior requests, tasks, secrets, or tokens — resulting in information disclosure of sensitive in-process data. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. In external runner mode, the impact is limited to data within the external runner process. The issue has been fixed in n8n versions 1.123.22, 2.10.1 , and 2.9.3. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or use external runner mode (`N8N_RUNNERS_MODE=external`) to isolate the runner process. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27496", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12722", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27496" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27496", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27496" }, { "reference_url": "https://docs.n8n.io/hosting/securing/blocking-nodes", "reference_id": "blocking-nodes", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:08:59Z/" } ], "url": "https://docs.n8n.io/hosting/securing/blocking-nodes" }, { "reference_url": "https://github.com/advisories/GHSA-xvh5-5qg4-x9qp", "reference_id": "GHSA-xvh5-5qg4-x9qp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xvh5-5qg4-x9qp" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-xvh5-5qg4-x9qp", "reference_id": "GHSA-xvh5-5qg4-x9qp", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:08:59Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-xvh5-5qg4-x9qp" }, { "reference_url": "https://docs.n8n.io/hosting/configuration/task-runners", "reference_id": "task-runners", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:08:59Z/" } ], "url": "https://docs.n8n.io/hosting/configuration/task-runners" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39886?format=api", "purl": "pkg:npm/n8n@1.123.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/39885?format=api", "purl": "pkg:npm/n8n@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/39884?format=api", "purl": "pkg:npm/n8n@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1" } ], "aliases": [ "CVE-2026-27496", "GHSA-xvh5-5qg4-x9qp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ra9y-br8w-k7au" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70284?format=api", "vulnerability_id": "VCID-rq3f-24px-ykfk", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing arbitrary redirect_uri values to be registered. When a user denies the MCP OAuth consent dialog, the handleDeny handler redirects the user to the registered redirect_uri without validation, enabling an open redirect to an attacker-controlled URL. An attacker can craft a phishing link and send it to a victim; if the victim clicks \"Deny\" on the consent page, they are silently redirected to an external site. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42230", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17771", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42230" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42230", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42230" }, { "reference_url": "https://github.com/advisories/GHSA-f6x8-65q6-j9m9", "reference_id": "GHSA-f6x8-65q6-j9m9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f6x8-65q6-j9m9" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-f6x8-65q6-j9m9", "reference_id": "GHSA-f6x8-65q6-j9m9", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:55:49Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-f6x8-65q6-j9m9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373286?format=api", "purl": "pkg:npm/n8n@1.123.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/373288?format=api", "purl": "pkg:npm/n8n@2.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/373287?format=api", "purl": "pkg:npm/n8n@2.18.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1" } ], "aliases": [ "CVE-2026-42230", "GHSA-f6x8-65q6-j9m9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rq3f-24px-ykfk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65944?format=api", "vulnerability_id": "VCID-s86a-mpj9-dfhg", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server's filesystem potentially leading to remote code execution. This issue has been patched in versions 1.118.0 and 2.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25056", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00225", "scoring_system": "epss", "scoring_elements": "0.45364", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25056" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25056", "reference_id": "CVE-2026-25056", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25056" }, { "reference_url": "https://github.com/advisories/GHSA-hv53-3329-vmrm", "reference_id": "GHSA-hv53-3329-vmrm", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hv53-3329-vmrm" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm", "reference_id": "GHSA-hv53-3329-vmrm", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:17Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38758?format=api", "purl": "pkg:npm/n8n@1.118.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-63n8-hy1m-3ke5" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-b5ba-g4u9-jkgx" }, { "vulnerability": "VCID-c232-fvfd-3fda" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-d7g4-89n1-y7e7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qkka-4nty-sqh1" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.118.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/38755?format=api", "purl": "pkg:npm/n8n@2.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.0" } ], "aliases": [ "CVE-2026-25056", "GHSA-hv53-3329-vmrm" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s86a-mpj9-dfhg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212671?format=api", "vulnerability_id": "VCID-s8p4-nts1-2fh2", "summary": "n8n has an SSO Enforcement Bypass in its Self-Service Settings API", "references": [ { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/a70b2ea379086da3de103bb84811e88cadf29976", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/a70b2ea379086da3de103bb84811e88cadf29976" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.8.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.8.0" }, { "reference_url": "https://github.com/advisories/GHSA-vjf3-2gpj-233v", "reference_id": "GHSA-vjf3-2gpj-233v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vjf3-2gpj-233v" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-vjf3-2gpj-233v", "reference_id": "GHSA-vjf3-2gpj-233v", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-vjf3-2gpj-233v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39942?format=api", "purl": "pkg:npm/n8n@2.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.8.0" } ], "aliases": [ "GHSA-vjf3-2gpj-233v" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s8p4-nts1-2fh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97986?format=api", "vulnerability_id": "VCID-ssr2-5x7e-9uf7", "summary": "n8n is a workflow automation platform. Versions prior to 1.98.0 have an Open Redirect vulnerability in the login flow. Authenticated users can be redirected to untrusted, attacker-controlled domains after logging in, by crafting malicious URLs with a misleading redirect query parameter. This may lead to phishing attacks by impersonating the n8n UI on lookalike domains (e.g., n8n.local.evil.com) credential or 2FA theft if users are tricked into re-entering sensitive information, and/or reputation risk due to the visual similarity between attacker-controlled domains and trusted ones. The vulnerability affects anyone hosting n8n and exposing the `/signin` endpoint to users. The issue has been patched in version 1.98.0. All users should upgrade to this version or later. The fix introduces strict origin validation for redirect URLs, ensuring only same-origin or relative paths are allowed after login.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49592", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00179", "scoring_system": "epss", "scoring_elements": "0.39294", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49592" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49592", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49592" }, { "reference_url": "https://github.com/n8n-io/n8n/pull/16034", "reference_id": "16034", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-26T19:56:57Z/" } ], "url": "https://github.com/n8n-io/n8n/pull/16034" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/4865d1e360a0fe7b045e295b5e1a29daad12314e", "reference_id": "4865d1e360a0fe7b045e295b5e1a29daad12314e", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-26T19:56:57Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/4865d1e360a0fe7b045e295b5e1a29daad12314e" }, { "reference_url": "https://github.com/advisories/GHSA-5vj6-wjr7-5v9f", "reference_id": "GHSA-5vj6-wjr7-5v9f", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5vj6-wjr7-5v9f" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-5vj6-wjr7-5v9f", "reference_id": "GHSA-5vj6-wjr7-5v9f", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-26T19:56:57Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-5vj6-wjr7-5v9f" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n%401.98.0", "reference_id": "n8n%401.98.0", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-26T19:56:57Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n%401.98.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378583?format=api", "purl": "pkg:npm/n8n@1.98.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5mhm-99u3-ruec" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-63n8-hy1m-3ke5" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-727u-nmx9-xuf3" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-b5ba-g4u9-jkgx" }, { "vulnerability": "VCID-c232-fvfd-3fda" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-d7g4-89n1-y7e7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-et9c-dh4q-3qcy" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-fy3d-ykem-3fgr" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-kw94-d9qx-3qf9" }, { "vulnerability": "VCID-nh3d-mzxr-j7dy" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qkka-4nty-sqh1" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s86a-mpj9-dfhg" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-st8g-2xn4-97b9" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-vht4-48cx-c7gu" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" }, { "vulnerability": "VCID-xsuv-1w6k-akeu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.98.0" } ], "aliases": [ "CVE-2025-49592", "GHSA-5vj6-wjr7-5v9f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ssr2-5x7e-9uf7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212287?format=api", "vulnerability_id": "VCID-st8g-2xn4-97b9", "summary": "n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host", "references": [ { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/advisories/GHSA-365g-vjw2-grx8", "reference_id": "GHSA-365g-vjw2-grx8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-365g-vjw2-grx8" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-365g-vjw2-grx8", "reference_id": "GHSA-365g-vjw2-grx8", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-365g-vjw2-grx8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/863927?format=api", "purl": "pkg:npm/n8n@1.115.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-63n8-hy1m-3ke5" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-b5ba-g4u9-jkgx" }, { "vulnerability": "VCID-c232-fvfd-3fda" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-d7g4-89n1-y7e7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qkka-4nty-sqh1" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s86a-mpj9-dfhg" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.115.0" } ], "aliases": [ "GHSA-365g-vjw2-grx8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-st8g-2xn4-97b9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70188?format=api", "vulnerability_id": "VCID-su1t-s9q1-h7am", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operations allowed user-controlled input to be concatenated directly into SQL query strings without escaping or parameterization. In workflows where external user input is passed via expressions into the SeaTable node's search or row retrieval parameters, an attacker could manipulate the constructed query to retrieve unintended rows from the connected SeaTable base, bypassing row-level filtering logic implemented in the workflow. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42229", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19896", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42229" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42229", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42229" }, { "reference_url": "https://github.com/advisories/GHSA-mp4j-h6gh-f6mp", "reference_id": "GHSA-mp4j-h6gh-f6mp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mp4j-h6gh-f6mp" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-mp4j-h6gh-f6mp", "reference_id": "GHSA-mp4j-h6gh-f6mp", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T15:00:08Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-mp4j-h6gh-f6mp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373286?format=api", "purl": "pkg:npm/n8n@1.123.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/373288?format=api", "purl": "pkg:npm/n8n@2.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/373287?format=api", "purl": "pkg:npm/n8n@2.18.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1" } ], "aliases": [ "CVE-2026-42229", "GHSA-mp4j-h6gh-f6mp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-su1t-s9q1-h7am" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360180?format=api", "vulnerability_id": "VCID-ty34-7aqe-27gv", "summary": "n8n has XSS in Chat Trigger Node through Custom CSS\n## Impact\nAn authenticated user with permission to create or modify workflows could inject malicious JavaScript into the Custom CSS field of the Chat Trigger node. Due to a misconfiguration in the `sanitize-html` library, the sanitization could be bypassed, resulting in stored XSS on the public chat page. Any user visiting the chat URL would be affected.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Chat Trigger node by adding `@n8n/n8n-nodes-langchain.chatTrigger` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-3c7f-5hgj-h279", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-3c7f-5hgj-h279" }, { "reference_url": "https://github.com/advisories/GHSA-3c7f-5hgj-h279", "reference_id": "GHSA-3c7f-5hgj-h279", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3c7f-5hgj-h279" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374800?format=api", "purl": "pkg:npm/n8n@1.123.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27" }, { "url": "http://public2.vulnerablecode.io/api/packages/374760?format=api", "purl": "pkg:npm/n8n@2.13.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/374759?format=api", "purl": "pkg:npm/n8n@2.14.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1" } ], "aliases": [ "GHSA-3c7f-5hgj-h279" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ty34-7aqe-27gv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/79873?format=api", "vulnerability_id": "VCID-ubn7-w3vz-hqgb", "summary": "n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could use the Python Code node to escape the sandbox. The sandbox did not sufficiently restrict access to certain built-in Python objects, allowing an attacker to exfiltrate file contents or achieve RCE. On instances using internal Task Runners (default runner mode), this could result in full compromise of the n8n host. On instances using external Task Runners, the attacker might gain access to or impact other task executed on the Task Runner. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only., and/or disable the Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27494", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25578", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27494" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27494", "reference_id": "CVE-2026-27494", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27494" }, { "reference_url": "https://github.com/advisories/GHSA-mmgg-m5j7-f83h", "reference_id": "GHSA-mmgg-m5j7-f83h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mmgg-m5j7-f83h" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-mmgg-m5j7-f83h", "reference_id": "GHSA-mmgg-m5j7-f83h", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:28:47Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-mmgg-m5j7-f83h" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22", "reference_id": "n8n@1.123.22", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:28:47Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1", "reference_id": "n8n@2.10.1", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:28:47Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3", "reference_id": "n8n@2.9.3", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:28:47Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39886?format=api", "purl": "pkg:npm/n8n@1.123.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/902621?format=api", "purl": "pkg:npm/n8n@2.0.0-rc.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/39885?format=api", "purl": "pkg:npm/n8n@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/39884?format=api", "purl": "pkg:npm/n8n@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1" } ], "aliases": [ "CVE-2026-27494", "GHSA-mmgg-m5j7-f83h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ubn7-w3vz-hqgb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78017?format=api", "vulnerability_id": "VCID-umut-3bp5-y3eq", "summary": "n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could exploit a SQL injection vulnerability in the Data Table Get node. On default SQLite DB, single statements can be manipulated and the attack surface is practically limited. On PostgreSQL deployments, multi-statement execution is possible, enabling data modification and deletion. The issue has been fixed in n8n versions 1.123.26, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the Data Table node by adding `n8n-nodes-base.dataTable` to the `NODES_EXCLUDE` environment variable, and/or review existing workflows for Data Table Get nodes where `orderByColumn` is set to an expression that incorporates external or user-supplied input. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33713", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06746", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33713" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33713", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33713" }, { "reference_url": "https://github.com/advisories/GHSA-98c2-4cr3-4jc3", "reference_id": "GHSA-98c2-4cr3-4jc3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-98c2-4cr3-4jc3" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-98c2-4cr3-4jc3", "reference_id": "GHSA-98c2-4cr3-4jc3", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T17:58:32Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-98c2-4cr3-4jc3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374757?format=api", "purl": "pkg:npm/n8n@1.123.26", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.26" }, { "url": "http://public2.vulnerablecode.io/api/packages/374760?format=api", "purl": "pkg:npm/n8n@2.13.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/374759?format=api", "purl": "pkg:npm/n8n@2.14.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-su1t-s9q1-h7am" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1" } ], "aliases": [ "CVE-2026-33713", "GHSA-98c2-4cr3-4jc3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-umut-3bp5-y3eq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70587?format=api", "vulnerability_id": "VCID-v4ft-nvxq-cyhy", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supply a foreign credential ID in the request body, causing the backend to decrypt and use that credential in a helper execution path where the caller also controls the destination URL. This allowed the caller to force the backend to authenticate against attacker-controlled infrastructure using a credential belonging to another user, effectively exfiltrating a reusable API key. The issue is not limited to any single node type; any node that resolves credentials dynamically through these endpoints may be affected. This issue has been patched in versions 1.123.33, 2.17.5, and 2.18.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42226", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20183", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42226" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:L/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42226", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:L/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42226" }, { "reference_url": "https://github.com/advisories/GHSA-r4v6-9fqc-w5jr", "reference_id": "GHSA-r4v6-9fqc-w5jr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-r4v6-9fqc-w5jr" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-r4v6-9fqc-w5jr", "reference_id": "GHSA-r4v6-9fqc-w5jr", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:L/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:41:42Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-r4v6-9fqc-w5jr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373721?format=api", "purl": "pkg:npm/n8n@1.123.33", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/373720?format=api", "purl": "pkg:npm/n8n@2.17.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.5" } ], "aliases": [ "CVE-2026-42226", "GHSA-r4v6-9fqc-w5jr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v4ft-nvxq-cyhy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74537?format=api", "vulnerability_id": "VCID-v6z9-pvhr-k7d2", "summary": "n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. As a result, any HTTP client that knows the webhook URL could send a POST request containing a matching event type, causing the workflow to execute as if a legitimate Stripe event had been received. This issue affects n8n users who have active workflows using the Stripe Trigger node. An attacker could potentially fake payment or subscription events and influence downstream workflow behavior. The practical risk is reduced by the fact that the webhook URL contains a high-entropy UUID; however, authenticated n8n users with access to the workflow can view this webhook ID. This issue has been patched in version 2.2.2. A temporary workaround for this issue involves users deactivating affected workflows or restricting access to workflows containing Stripe Trigger nodes to trusted users only.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-21894", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.0662", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-21894" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/pull/22764", "reference_id": "22764", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:42:25Z/" } ], "url": "https://github.com/n8n-io/n8n/pull/22764" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/a61a5991093c41863506888336e808ac1eff8d59", "reference_id": "a61a5991093c41863506888336e808ac1eff8d59", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:42:25Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/a61a5991093c41863506888336e808ac1eff8d59" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21894", "reference_id": "CVE-2026-21894", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21894" }, { "reference_url": "https://github.com/advisories/GHSA-jf52-3f2h-h9j5", "reference_id": "GHSA-jf52-3f2h-h9j5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jf52-3f2h-h9j5" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-jf52-3f2h-h9j5", "reference_id": "GHSA-jf52-3f2h-h9j5", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:42:25Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-jf52-3f2h-h9j5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36597?format=api", "purl": "pkg:npm/n8n@2.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s86a-mpj9-dfhg" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.2.2" } ], "aliases": [ "CVE-2026-21894", "GHSA-jf52-3f2h-h9j5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v6z9-pvhr-k7d2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/105067?format=api", "vulnerability_id": "VCID-vht4-48cx-c7gu", "summary": "n8n is a workflow automation platform. Prior to version 1.99.1, an authorization vulnerability was discovered in the /rest/executions/:id/stop endpoint of n8n. An authenticated user can stop workflow executions that they do not own or that have not been shared with them, leading to potential business disruption. This issue has been patched in version 1.99.1. A workaround involves restricting access to the /rest/executions/:id/stop endpoint via reverse proxy or API gateway.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-52554", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00327", "scoring_system": "epss", "scoring_elements": "0.56059", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-52554" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52554", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52554" }, { "reference_url": "https://github.com/n8n-io/n8n/pull/16405", "reference_id": "16405", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T20:18:06Z/" } ], "url": "https://github.com/n8n-io/n8n/pull/16405" }, { "reference_url": "https://github.com/dudanogueira/n8n/commit/ca2f90c7fbaa1d661ade2f45d587d9469bc287e1", "reference_id": "ca2f90c7fbaa1d661ade2f45d587d9469bc287e1", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T20:18:06Z/" } ], "url": "https://github.com/dudanogueira/n8n/commit/ca2f90c7fbaa1d661ade2f45d587d9469bc287e1" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/e5edc60e344924230baafb11fa1f0af788e9ca9a", "reference_id": "e5edc60e344924230baafb11fa1f0af788e9ca9a", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T20:18:06Z/" } ], "url": "https://github.com/n8n-io/n8n/commit/e5edc60e344924230baafb11fa1f0af788e9ca9a" }, { "reference_url": "https://github.com/advisories/GHSA-gq57-v332-7666", "reference_id": "GHSA-gq57-v332-7666", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gq57-v332-7666" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-gq57-v332-7666", "reference_id": "GHSA-gq57-v332-7666", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T20:18:06Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-gq57-v332-7666" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378426?format=api", "purl": "pkg:npm/n8n@1.99.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5mhm-99u3-ruec" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-63n8-hy1m-3ke5" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-b5ba-g4u9-jkgx" }, { "vulnerability": "VCID-c232-fvfd-3fda" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-d7g4-89n1-y7e7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-et9c-dh4q-3qcy" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-kw94-d9qx-3qf9" }, { "vulnerability": "VCID-nh3d-mzxr-j7dy" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qkka-4nty-sqh1" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s86a-mpj9-dfhg" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-st8g-2xn4-97b9" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" }, { "vulnerability": "VCID-xsuv-1w6k-akeu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.99.1" } ], "aliases": [ "CVE-2025-52554", "GHSA-gq57-v332-7666" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vht4-48cx-c7gu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65839?format=api", "vulnerability_id": "VCID-wbd6-q158-8khm", "summary": "n8n is an open source workflow automation platform. Prior to version 2.4.8, a vulnerability in the Python Code node allows authenticated users to break out of the Python sandbox environment and execute code outside the intended security boundary. This issue has been patched in version 2.4.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25115", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.2267", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25115" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/8607d372f78c388bb3691d9d5b52af7259ec7b1f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/8607d372f78c388bb3691d9d5b52af7259ec7b1f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25115", "reference_id": "CVE-2026-25115", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25115" }, { "reference_url": "https://github.com/advisories/GHSA-8398-gmmx-564h", "reference_id": "GHSA-8398-gmmx-564h", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8398-gmmx-564h" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-8398-gmmx-564h", "reference_id": "GHSA-8398-gmmx-564h", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:16Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-8398-gmmx-564h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38759?format=api", "purl": "pkg:npm/n8n@2.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.8" } ], "aliases": [ "CVE-2026-25115", "GHSA-8398-gmmx-564h" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wbd6-q158-8khm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212665?format=api", "vulnerability_id": "VCID-wg96-fujy-33db", "summary": "n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes", "references": [ { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/f73fae6fe7fc34907bba102648a9997186aa4385", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/f73fae6fe7fc34907bba102648a9997186aa4385" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n%402.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n%402.4.0" }, { "reference_url": "https://github.com/advisories/GHSA-f3f2-mcxc-pwjx", "reference_id": "GHSA-f3f2-mcxc-pwjx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f3f2-mcxc-pwjx" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx", "reference_id": "GHSA-f3f2-mcxc-pwjx", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38755?format=api", "purl": "pkg:npm/n8n@2.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.0" } ], "aliases": [ "GHSA-f3f2-mcxc-pwjx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wg96-fujy-33db" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70648?format=api", "vulnerability_id": "VCID-wte4-73wa-53fx", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42234", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00095", "scoring_system": "epss", "scoring_elements": "0.26427", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42234" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42234", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42234" }, { "reference_url": "https://github.com/advisories/GHSA-44v6-jhgm-p3m4", "reference_id": "GHSA-44v6-jhgm-p3m4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-44v6-jhgm-p3m4" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-44v6-jhgm-p3m4", "reference_id": "GHSA-44v6-jhgm-p3m4", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T03:56:38Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-44v6-jhgm-p3m4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373286?format=api", "purl": "pkg:npm/n8n@1.123.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/373288?format=api", "purl": "pkg:npm/n8n@2.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/373287?format=api", "purl": "pkg:npm/n8n@2.18.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1" } ], "aliases": [ "CVE-2026-42234", "GHSA-44v6-jhgm-p3m4" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wte4-73wa-53fx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70634?format=api", "vulnerability_id": "VCID-x1jy-nk1c-6uak", "summary": "n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node's SSH operations, achieve remote code execution on the n8n host. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42231", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00471", "scoring_system": "epss", "scoring_elements": "0.65062", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42231" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42231", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42231" }, { "reference_url": "https://github.com/advisories/GHSA-q5f4-99jv-pgg5", "reference_id": "GHSA-q5f4-99jv-pgg5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q5f4-99jv-pgg5" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5", "reference_id": "GHSA-q5f4-99jv-pgg5", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-04T20:17:57Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373286?format=api", "purl": "pkg:npm/n8n@1.123.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/373288?format=api", "purl": "pkg:npm/n8n@2.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v4ft-nvxq-cyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/373287?format=api", "purl": "pkg:npm/n8n@2.18.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1" } ], "aliases": [ "CVE-2026-42231", "GHSA-q5f4-99jv-pgg5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x1jy-nk1c-6uak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97058?format=api", "vulnerability_id": "VCID-x83e-tmz3-rqd8", "summary": "n8n is a workflow automation platform. Prior to version 1.90.0, n8n is vulnerable to stored cross-site scripting (XSS) through the attachments view endpoint. n8n workflows can store and serve binary files, which are accessible to authenticated users. However, there is no restriction on the MIME type of uploaded files, and the MIME type could be controlled via a GET parameter. This allows the server to respond with any MIME type, potentially enabling malicious content to be interpreted and executed by the browser. An authenticated attacker with member-level permissions could exploit this by uploading a crafted HTML file containing malicious JavaScript. When another user visits the binary data endpoint with the MIME type set to text/html, the script executes in the context of the user’s session. This script could send a request to change the user’s email address in their account settings, effectively enabling account takeover. This issue has been patched in version 1.90.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46343", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0031", "scoring_system": "epss", "scoring_elements": "0.54525", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46343" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46343", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46343" }, { "reference_url": "https://github.com/n8n-io/n8n/pull/14350", "reference_id": "14350", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:34:53Z/" } ], "url": "https://github.com/n8n-io/n8n/pull/14350" }, { "reference_url": "https://github.com/n8n-io/n8n/pull/14685", "reference_id": "14685", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:34:53Z/" } ], "url": "https://github.com/n8n-io/n8n/pull/14685" }, { "reference_url": "https://github.com/advisories/GHSA-c8hm-hr8h-5xjw", "reference_id": "GHSA-c8hm-hr8h-5xjw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c8hm-hr8h-5xjw" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-c8hm-hr8h-5xjw", "reference_id": "GHSA-c8hm-hr8h-5xjw", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:34:53Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-c8hm-hr8h-5xjw" }, { "reference_url": "https://github.com/n8n-io/n8n/releases/tag/n8n%401.90.0", "reference_id": "n8n%401.90.0", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:34:53Z/" } ], "url": "https://github.com/n8n-io/n8n/releases/tag/n8n%401.90.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376319?format=api", "purl": "pkg:npm/n8n@1.90.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5mhm-99u3-ruec" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-63n8-hy1m-3ke5" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-727u-nmx9-xuf3" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-b5ba-g4u9-jkgx" }, { "vulnerability": "VCID-c232-fvfd-3fda" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-d7g4-89n1-y7e7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-et9c-dh4q-3qcy" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-fy3d-ykem-3fgr" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-kw94-d9qx-3qf9" }, { "vulnerability": "VCID-nh3d-mzxr-j7dy" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qkka-4nty-sqh1" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s86a-mpj9-dfhg" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-ssr2-5x7e-9uf7" }, { "vulnerability": "VCID-st8g-2xn4-97b9" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-vht4-48cx-c7gu" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" }, { "vulnerability": "VCID-xnnq-fzcn-7fbg" }, { "vulnerability": "VCID-xsuv-1w6k-akeu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.90.0" } ], "aliases": [ "CVE-2025-46343", "GHSA-c8hm-hr8h-5xjw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x83e-tmz3-rqd8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212666?format=api", "vulnerability_id": "VCID-xf7g-p8s2-rqbj", "summary": "n8n: Webhook Forgery on Github Webhook Trigger", "references": [ { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/a19347a6bc9a96d5065ac77d25a811e46178c578", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/a19347a6bc9a96d5065ac77d25a811e46178c578" }, { "reference_url": "https://github.com/n8n-io/n8n/commit/afe322325502f448b33bff1db1575e4447c28a36", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/commit/afe322325502f448b33bff1db1575e4447c28a36" }, { "reference_url": "https://github.com/advisories/GHSA-mqpr-49jj-32rc", "reference_id": "GHSA-mqpr-49jj-32rc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mqpr-49jj-32rc" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-mqpr-49jj-32rc", "reference_id": "GHSA-mqpr-49jj-32rc", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-mqpr-49jj-32rc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39918?format=api", "purl": "pkg:npm/n8n@1.123.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/38208?format=api", "purl": "pkg:npm/n8n@2.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.0" } ], "aliases": [ "GHSA-mqpr-49jj-32rc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xf7g-p8s2-rqbj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78081?format=api", "vulnerability_id": "VCID-xnnq-fzcn-7fbg", "summary": "n8n is an open source workflow automation platform. Prior to versions 2.4.0 and 1.121.0, when LDAP authentication is enabled, n8n automatically linked an LDAP identity to an existing local account if the LDAP email attribute matched the local account's email. An authenticated LDAP user who could control their own LDAP email attribute could set it to match another user's email — including an administrator's — and upon login gain full access to that account. The account linkage persisted even if the LDAP email was later reverted, resulting in a permanent account takeover. LDAP authentication must be configured and active (non-default). The issue has been fixed in n8n versions 2.4.0 and 1.121.0. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable LDAP authentication until the instance can be upgraded, restrict LDAP directory permissions so that users cannot modify their own email attributes, and/or audit existing LDAP-linked accounts for unexpected account associations. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33665", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09122", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33665" }, { "reference_url": "https://github.com/n8n-io/n8n", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/n8n-io/n8n" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33665", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33665" }, { "reference_url": "https://github.com/advisories/GHSA-c545-x2rh-82fc", "reference_id": "GHSA-c545-x2rh-82fc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c545-x2rh-82fc" }, { "reference_url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-c545-x2rh-82fc", "reference_id": "GHSA-c545-x2rh-82fc", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-27T14:55:43Z/" } ], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-c545-x2rh-82fc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36331?format=api", "purl": "pkg:npm/n8n@1.121.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-39dw-4b5k-1bae" }, { "vulnerability": "VCID-3p4c-nkcn-hkey" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-4crt-c14t-53dq" }, { "vulnerability": "VCID-5c7w-mba9-mucn" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-5pjr-smm2-pyav" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-b5ba-g4u9-jkgx" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cy8m-aw8f-zkfx" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-e1c6-5sck-8bas" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-fuvy-21q8-fyhh" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-h9zv-wu1v-83ft" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-ktyh-c1au-6yc7" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-v4ft-nvxq-cyhy" }, { "vulnerability": "VCID-v6z9-pvhr-k7d2" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-wg96-fujy-33db" }, { "vulnerability": "VCID-wte4-73wa-53fx" }, { "vulnerability": "VCID-x1jy-nk1c-6uak" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.121.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/38755?format=api", "purl": "pkg:npm/n8n@2.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17dc-5ubt-g3e1" }, { "vulnerability": "VCID-18zg-q45k-d3f3" }, { "vulnerability": "VCID-1rt1-y3w9-skc7" }, { "vulnerability": "VCID-2kxv-vwc7-3ubf" }, { "vulnerability": "VCID-456j-q8xt-57e3" }, { "vulnerability": "VCID-5fsf-m3s8-pfg2" }, { "vulnerability": "VCID-6pzv-3t6r-akeq" }, { "vulnerability": "VCID-6xm5-7kq2-xqdm" }, { "vulnerability": "VCID-78yr-xz2p-rkff" }, { "vulnerability": "VCID-95f5-4xkw-yuae" }, { "vulnerability": "VCID-9bcs-wgnz-m3e8" }, { "vulnerability": "VCID-c4s3-zx71-c7h3" }, { "vulnerability": "VCID-camv-m2tf-qkac" }, { "vulnerability": "VCID-cxss-9g41-gfb7" }, { "vulnerability": "VCID-cyxm-4jde-myc1" }, { "vulnerability": "VCID-d1rq-nmws-w3fy" }, { "vulnerability": "VCID-d5bn-f87r-vka1" }, { "vulnerability": "VCID-d5s2-xbfd-ukg7" }, { "vulnerability": "VCID-d763-b5fk-g3dm" }, { "vulnerability": "VCID-dm6y-ymh9-u3cm" }, { "vulnerability": "VCID-f8r2-7ab1-w3d8" }, { "vulnerability": "VCID-g3sy-n7qb-kqat" }, { "vulnerability": "VCID-krxn-r6bc-cffu" }, { "vulnerability": "VCID-nhbw-hcq1-b3em" }, { "vulnerability": "VCID-nva1-tjfr-ckb5" }, { "vulnerability": "VCID-p2w8-9t9n-7baw" }, { "vulnerability": "VCID-qrf6-n324-ybbj" }, { "vulnerability": "VCID-r89t-ywcr-kbev" }, { "vulnerability": "VCID-ra9y-br8w-k7au" }, { "vulnerability": "VCID-rq3f-24px-ykfk" }, { "vulnerability": "VCID-s8p4-nts1-2fh2" }, { "vulnerability": "VCID-su1t-s9q1-h7am" }, { "vulnerability": "VCID-ty34-7aqe-27gv" }, { "vulnerability": "VCID-ubn7-w3vz-hqgb" }, { "vulnerability": "VCID-umut-3bp5-y3eq" }, { "vulnerability": "VCID-wbd6-q158-8khm" }, { "vulnerability": "VCID-xf7g-p8s2-rqbj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.0" } ], "aliases": [ "CVE-2026-33665", "GHSA-c545-x2rh-82fc" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xnnq-fzcn-7fbg" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.0.4" }