Launch Week Day 1: Announcing Security Design Review
Start for Free
npm

n8n

View on npm registry
80 Total advisories
80 Vulnerabilities
0 Malware

Vulnerabilities

CRITICAL 9.1
npm

GHSA-3875-8gcx-7v46

n8n: Credential exfiltration via Allowed HTTP Request Domains Bypass
MEDIUM 6.4
npm

GHSA-2vx9-7wpg-88jq

n8n: Legacy ExecuteWorkflow Node Bypassed File Path Restrictions
UNKNOWN
npm

CVE-2026-44791

n8n Has an XML Node Prototype Pollution Patch Bypass
UNKNOWN
npm

CVE-2026-44789

n8n: HTTP Request Node Pagination Prototype Pollution to RCE
UNKNOWN
npm

CVE-2026-44792

n8n Has a Source Control Pull SQL Injection
UNKNOWN
npm

CVE-2026-45732

n8n Has a Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints
UNKNOWN
npm

CVE-2026-44790

n8n Has an Arbitrary File Read via Git Node
HIGH 8.5
npm

CVE-2026-42226

n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay
HIGH 7.5
npm

CVE-2026-42234

n8n has a Python Task Runner Sandbox Escape Vulnerability
MEDIUM 6.8
npm

CVE-2026-42229

n8n has SQL Injection in SeaTable Node
HIGH 7.5
npm

CVE-2026-42236

n8n Vulnerable to Unauthenticated Denial of Service via MCP Client Registration
CRITICAL 10.0
npm

CVE-2026-42231

n8n has Prototype Pollution in XML Webhook Body Parser that Leads to RCE
CRITICAL 9.9
npm

CVE-2026-42232

n8n has XML Node Prototype Pollution that to RCE
HIGH 8.2
npm

CVE-2026-42237

n8n has SQL Injection in Snowflake and MySQL Nodes
CRITICAL 9.8
npm

CVE-2026-42233

n8n has SQL Injection in Oracle Database Node via Limit Field
HIGH 7.7
npm

CVE-2026-42227

n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure
MEDIUM 4.7
npm

CVE-2026-42230

n8n has Open Redirect in MCP OAuth Consent Flow
MEDIUM 5.4
npm

CVE-2026-42228

n8n Vulnerable to Hijacking of Unauthenticated Chat Execution

HIGH 8.2
npm

CVE-2026-42235

n8n Vulnerable to XSS via MCP OAuth client
CRITICAL 9.9
npm

CVE-2026-33660

n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode
MEDIUM 5.4
npm

GHSA-3c7f-5hgj-h279

n8n has XSS in Chat Trigger Node through Custom CSS
MEDIUM 6.5
npm

CVE-2026-27496

n8n has In-Process Memory Disclosure in its Task Runner
MEDIUM 4.1
npm

GHSA-w673-8fjw-457c

n8n: Authenticated XSS and Open Redirect via Form Node
MEDIUM 5.4
npm

GHSA-364x-8g5j-x2pr

n8n has XSS in its Credential Management Flow
MEDIUM 5.4
npm

GHSA-q4fm-pjq6-m63g

n8n has a Stored XSS Vulnerability in its Form Trigger
MEDIUM 4.8
npm

CVE-2026-33751

n8n Vulnerable to LDAP Filter Injection in LDAP Node
HIGH 8.9
npm

CVE-2026-33749

n8n Vulnerable to XSS via Binary Data Inline HTML Rendering
CRITICAL 9.9
npm

CVE-2026-33696

n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE
CRITICAL 9.9
npm

CVE-2026-33713

n8n has SQL Injection in Data Table Node via orderByColumn Expression
MEDIUM 6.3
npm

CVE-2026-33722

n8n Has External Secrets Authorization Bypass in Credential Saving
MEDIUM 5.4
npm

CVE-2026-33724

n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no
MEDIUM 4.7
npm

CVE-2026-33720

n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK
HIGH 8.2
npm

CVE-2026-33665

n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover
CRITICAL 9.9
npm

CVE-2026-33663

n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition
CRITICAL 9.9
npm

CVE-2026-25115

n8n has a Python sandbox escape
CRITICAL 9.9
npm KEV

CVE-2025-68613

n8n Vulnerable to Remote Code Execution via Expression Injection
CRITICAL 9.9
npm

CVE-2026-27577

n8n: Expression Sandbox Escape Leads to RCE
CRITICAL 9.9
npm

CVE-2026-27494

n8n has Arbitrary File Read via Python Code Node Sandbox Escape
HIGH 8.5
npm

CVE-2026-27498

n8n has Arbitrary Command Execution via File Write and Git Operations
MEDIUM 5.4
npm

CVE-2026-27578

n8n Vulnerable to Stored XSS via Various Nodes
UNKNOWN
npm

CVE-2026-27495

n8n has a Sandbox Escape in its JavaScript Task Runner
CRITICAL 9.9
npm

CVE-2026-27497

n8n has Potential Remote Code Execution via Merge Node
CRITICAL 9.0
npm

CVE-2026-27493

n8n has Unauthenticated Expression Evaluation via Form Node
MEDIUM 4.0
npm

GHSA-38c7-23hj-2wgq

n8n has Webhook Forgery on Zendesk Trigger Node
MEDIUM 6.3
npm

GHSA-vjf3-2gpj-233v

n8n has an SSO Enforcement Bypass in its Self-Service Settings API
MEDIUM 4.8
npm

GHSA-jh8h-6c9q-7gmw

n8n has an Authentication Bypass in its Chat Trigger Node
LOW 3.7
npm

GHSA-fvfv-ppw4-7h2w

n8n has a Guardrail Node Bypass
MEDIUM 4.0
npm

GHSA-mqpr-49jj-32rc

n8n: Webhook Forgery on Github Webhook Trigger
HIGH 8.2
npm

GHSA-f3f2-mcxc-pwjx

n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes
UNKNOWN
npm

CVE-2026-25631

n8n's domain allowlist bypass enables credential exfiltration
UNKNOWN
npm

CVE-2026-25052

n8n's Improper File Access Controls Allow Arbitrary File Read by Authenticated Users
UNKNOWN
npm

CVE-2026-25053

n8n has OS Command Injection in Git Node
UNKNOWN
npm

CVE-2026-25056

n8n Merge Node has Arbitrary File Write leading to RCE
UNKNOWN
npm

CVE-2026-25054

n8n Has Stored Cross-site Scripting via Markdown Rendering in Workflow UI
UNKNOWN
npm

CVE-2026-25055

n8n Vulnerable to Arbitrary File Write on Remote Systems via SSH Node
HIGH 7.7
npm

CVE-2025-61917

n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner
UNKNOWN
npm

CVE-2026-25051

n8n's Improper CSP Enforcement in Webhook Responses May Allow Stored XSS
UNKNOWN
npm

CVE-2026-25049

n8n Has Expression Escape Vulnerability Leading to RCE
UNKNOWN
npm

CVE-2026-21893

n8n Vulnerable to Command Injection in Community Package Installation
CRITICAL 9.9
npm

CVE-2026-21877

n8n Vulnerable to RCE via Arbitrary File Write
MEDIUM 6.5
npm

CVE-2026-21894

n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks
CRITICAL 9.9
npm

CVE-2025-68668

n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node

CRITICAL 9.9
npm

CVE-2026-1470

n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution
CRITICAL 10.0
npm

CVE-2026-21858

n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling
MEDIUM 5.3
npm

CVE-2025-68949

n8n: Webhook Node IP Whitelist Bypass via Partial String Matching
HIGH 7.1
npm

CVE-2025-68697

Self-hosted n8n has Legacy Code node that enables arbitrary file read/write
HIGH 7.3
npm

CVE-2025-61914

n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox
UNKNOWN
npm

CVE-2025-65964

n8n vulnerable to Remote Code Execution via Git Node Custom Pre-Commit Hook
HIGH 8.8
npm

CVE-2025-62726

n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook
HIGH 8.8
npm

GHSA-365g-vjw2-grx8

n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host
MEDIUM 4.1
npm

CVE-2025-58177

Stored XSS in n8n LangChain Chat Trigger Node via initialMessages Parameter
MEDIUM 6.5
npm

CVE-2025-57749

n8n symlink traversal vulnerability in "Read/Write File" node allows access to restricted files
HIGH 8.7
npm

CVE-2025-52478

Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source
MEDIUM 4.3
npm

CVE-2025-52554

n8n is vulnerable to Improper Authorization through its `/stop` endpoint
MEDIUM 4.9
npm

CVE-2025-49595

n8n Vulnerable to Denial of Service via Malformed Binary Data Requests
MEDIUM 4.6
npm

CVE-2025-49592

n8n allows open redirects via the /signin endpoint
MEDIUM 5.0
npm

CVE-2025-46343

n8n Vulnerable to Stored XSS through Attachments View Endpoint
HIGH 7.5
npm

CVE-2023-27564

n8n Information Disclosure vulnerability
HIGH 8.8
npm

CVE-2023-27563

n8n Privilege Escalation vulnerability
MEDIUM 6.5
npm

CVE-2023-27562

n8n Directory Traversal vulnerability

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes