If you discover a (suspected) security vulnerability, please report it through our Vulnerability Disclosure Program.
Security: n8n-io/n8n
Security
SECURITY.md
-
SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodesGHSA-f3f2-mcxc-pwjx published
Feb 25, 2026 by JubkeModerate -
Remote Code Execution via Merge NodeGHSA-wxx7-mcgf-j869 published
Feb 25, 2026 by JubkeCritical -
Expression Sandbox Escape Leading to RCEGHSA-vpcf-gvg4-6qwr published
Feb 25, 2026 by JubkeCritical -
Stored XSS via Various NodesGHSA-2p9h-rqjw-gm92 published
Feb 25, 2026 by JubkeHigh -
Authentication Bypass in Chat Trigger NodeGHSA-jh8h-6c9q-7gmw published
Feb 25, 2026 by JubkeModerate -
Unauthenticated Expression Evaluation via Form NodeGHSA-75g8-rv7v-32f7 published
Feb 25, 2026 by JubkeHigh -
SSO Enforcement BypassGHSA-vjf3-2gpj-233v published
Feb 25, 2026 by JubkeModerate -
Sandbox Escape in JavaScript Task RunnerGHSA-jjpj-p2wh-qf23 published
Feb 25, 2026 by JubkeCritical -
n8n Guardrail Node BypassGHSA-fvfv-ppw4-7h2w published
Feb 25, 2026 by JubkeModerate -
Webhook Forgery on Zendesk TriggerGHSA-38c7-23hj-2wgq published
Feb 25, 2026 by JubkeModerate
Learn more about advisories related to n8n-io/n8n in the GitHub Advisory Database