heise PlusAbo
Anzeige

Automation tool n8n: Updates patch code injection flaws

In the automation tool n8n, eleven security vulnerabilities have been discovered. Three of these are considered critical risks. Admins should update quickly.

listen Print view

(Image: Sashkin/Shutterstock.com)

3 min. read
Security
By

IT researchers have discovered eleven vulnerabilities in the AI-powered process automation tool n8n. Attackers can use these to inject and execute malicious code, among other things. Updated versions close the security gaps. Admins should update quickly.

Of the three security vulnerabilities classified as critical, the first is based on the fact that logged-in users with the permission to create or modify workflows can use the SQL query mode to execute arbitrary code on the n8n server or place arbitrary files on it (CVE-2026-27497, CVSS4 9.4, Risk “critical”). Similarly, such users can misuse manipulated expressions in workflow parameters to start system commands on the n8n host system; this is an escape from the sandbox for such expressions, which can lead to the execution of code from the network (CVE-2026-27577, CVSS4 9.4, Risk “critical”). In the JavaScript task runner, users can also break out of the sandbox and execute arbitrary code outside the sandbox. By default, this can lead to complete compromise of the n8n host (CVE-2026-27495, CVSS4 9.4, Risk “critical”).

n8n: Bug-fixed versions

Versions 2.10.1, 2.9.3, and 1.123.22, as well as newer versions of n8n, patch the security holes. These are available, among other places, via the release announcements in the n8n GitHub repository. Users running n8n as a Docker container can perform the update in their Docker management.

The new n8n versions also close further security vulnerabilities:

  • Stored XSS via Various Nodes (CVE-2026-27578, CVSS4 8.5, Risk “high”)
  • Unauthenticated Expression Evaluation via Form Node (CVE-2026-27493, CVSS4 according to NIST 9.5, classification as “high” only due to exploitability)
  • Authentication Bypass in Chat Trigger Node (no CVE, CVSS 6.3, Risk “medium”)
  • n8n Guardrail Node Bypass (no CVE, CVSS4 6.3, Risk “medium”)
  • Webhook Forgery on Github Webhook Trigger (no CVE, CVSS4 6.3, Risk “medium”)
  • Webhook Forgery on Zendesk Trigger (no CVE, CVSS4 6.3, Risk “medium”)
  • SSO Enforcement Bypass (no CVE, CVSS4 6.0, Risk “medium”)
  • SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes (no CVE, CVSS4 5.3, Risk “medium”)

Videos by heise

In early February, the n8n project also closed partly critical security vulnerabilities. At that time, there were six in total, with four others considered high risk.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten