If you discover a (suspected) security vulnerability, please report it through our Vulnerability Disclosure Program.
Security: n8n-io/n8n
Security
SECURITY.md
-
RCE via SQL Mode of Merge NodeGHSA-58qr-rcgv-642v published
Mar 25, 2026 by JubkeCritical -
Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community EditionGHSA-m63j-689w-3j35 published
Mar 25, 2026 by JubkeHigh -
XSS via Binary Data Inline HTML RenderingGHSA-qfc3-hm4j-7q77 published
Mar 25, 2026 by JubkeModerate -
Prototype Pollution in GSuiteAdmin node parameters leads to RCEGHSA-mxrg-77hm-89hv published
Mar 25, 2026 by JubkeCritical -
Stored XSS in Form TriggerGHSA-q4fm-pjq6-m63g published
Mar 25, 2026 by JubkeModerate -
XSS in Chat Trigger Node via Custom CSSGHSA-3c7f-5hgj-h279 published
Mar 25, 2026 by JubkeModerate -
SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodesGHSA-f3f2-mcxc-pwjx published
Feb 25, 2026 by JubkeModerate -
Remote Code Execution via Merge NodeGHSA-wxx7-mcgf-j869 published
Feb 25, 2026 by JubkeCritical -
Expression Sandbox Escape Leading to RCEGHSA-vpcf-gvg4-6qwr published
Feb 25, 2026 by JubkeCritical -
Stored XSS via Various NodesGHSA-2p9h-rqjw-gm92 published
Feb 25, 2026 by JubkeHigh
Learn more about advisories related to n8n-io/n8n in the GitHub Advisory Database