heise PlusAbo
Anzeige

Automation tool n8n: Further critical vulnerabilities patched

In the automation tool n8n, developers have patched further security vulnerabilities. An update to the latest version is recommended.

listen Print view
Highly distorted image of a finger on a keyboard, with a digital exclamation mark in the foreground

(Image: janews/Shutterstock.com)

3 min. read
Security
By

On Thursday night, ten new vulnerability entries were published for the open-source workflow automation tool n8n. These address six vulnerabilities classified as critical risks, with the remaining still considered high-risk.

Ten security vulnerabilities in n8n

However, the vulnerabilities partly affect older versions of n8n – so if you installed the software some time ago and haven't bothered with updates, you should now update to the current version. A detailed examination of each vulnerability would go beyond the scope of this report. A list of the new CVE entries sorted by severity, however, provides an overview:

  • Command injection vulnerability in n8n from 0.187.0 up to before 1.123.10, CVE-2026-21893, CVSS4 9.4, Risk “critical”
  • Python sandbox escape in n8n before 2.4.8, CVE-2026-25115, CVSS4 9.4, Risk “critical”
  • Arbitrary file write in n8n before version 1.118.0 and 2.4.0, CVE-2026-25056, CVSS4 9.4, Risk “critical”
  • Execution of system commands or reading arbitrary files in n8n before 1.123.10 and 2.5.0, CVE-2026-25053, CVSS4 9.4, Risk “critical”
  • Insufficient file access controls allow manipulation of workflows in n8n before 1.123.18 and 2.5.0, CVE-2026-25052, CVSS4 9.4, Risk “critical”
  • Execution of system commands on host in n8n before 1.123.17 and 2.5.2, CVE-2026-25049, CVSS4 9.4, Risk “critical”
  • Cross-Site Scripting vulnerability in n8n before 1.123.9 and 2.2.1, CVE-2026-25054, CVSS4 8.5, Risk “high”
  • Cross-Site Scripting vulnerability in n8n before 1.123.2, CVE-2026-25051, CVSS4 8.5, Risk “high”
  • Information leak on memory allocation in n8n 1.65.0 to before 1.114.3, CVE-2025-61917, CVSS4 7.7, Risk “high”
  • Code injection from the network when processing uploaded files in n8n before 1.123.12 and 2.4.0, CVE-2026-25055, CVSS4 7.1, Risk “high”

At the time of reporting, version n8n 2.7.1 is current, but other development branches have also received fresh updates. Those using the software should update to these versions. The project releases software updates very frequently; for example, the bug fix for n8n 2.4.8 was released last Thursday, as was n8n version 1.123.18.

Videos by heise

In early January, critical security vulnerabilities in n8n were already known. Proof-of-concept exploits were also publicly available for those.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten