N8n Patches Critical Remote Code Execution Vulnerability (CVE-2026-33660)

A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-33660, has been identified in n8n, an open-source workflow automation platform. Assigned a CVSS score of 9.4, this flaw allows authenticated attackers with workflow modification permissions to execute arbitrary commands on the host system. Exploitation occurs via the Merge node's Combine by SQL mode, where insufficient sandboxing in the AlaSQL library permits local file access and system compromise. Over 615,000 potentially vulnerable instances were identified publicly. Immediate mitigation requires upgrading to patched versions 2.14.1, 2.13.3, or 1.123.27. Temporary workarounds include restricting workflow editing permissions to trusted users only or disabling the Merge node via environment variables. However, these workarounds are not complete solutions. Organizations utilizing n8n should prioritize patching to prevent unauthorized access and potential data exfiltration or system takeover associated with this high-severity vulnerability.

N8n is vulnerable to a critical remote code execution flaw. Tracked as CVE-2026-33660, the vulnerability has a CVSS score of 9.4. Successful exploitation of this vulnerability may allow an authenticated attacker to execute arbitrary commands on the target system. n8n is a powerful, open-source workflow automation tool that enables users to visually design and automate complex processes by connecting various apps, APIs, and services. It functions as a digital hub, transferring data and triggering … Continue reading "N8n Patches Critical Remote Code Execution Vulnerability (CVE-2026-33660)"

A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-33660, has been identified in n8n, an open-source workflow automation platform. Assigned a CVSS score of 9.4, this flaw allows authenticated attackers with workflow modification permissions to execute arbitrary commands on the host system. Exploitation occurs via the Merge node's Combine by SQL mode, where insufficient sandboxing in the AlaSQL library permits local file access and system compromise. Over 615,000 potentially vulnerable instances were identified publicly. Immediate mitigation requires upgrading to patched versions 2.14.1, 2.13.3, or 1.123.27. Temporary workarounds include restricting workflow editing permissions to trusted users only or disabling the Merge node via environment variables. However, these workarounds are not complete solutions. Organizations utilizing n8n should prioritize patching to prevent unauthorized access and potential data exfiltration or system takeover associated with this high-severity vulnerability. N8n is vulnerable to a critical remote code execution flaw. Tracked as CVE-2026-33660, the vulnerability has a CVSS score of 9.4. Successful exploitation of this vulnerability may allow an authenticated attacker to execute arbitrary commands on the target system. n8n is a powerful, open-source workflow automation tool that enables users to visually design and automate complex processes by connecting various apps, APIs, and services. It functions as a digital hub, transferring data and triggering … Continue reading "N8n Patches Critical Remote Code Execution Vulnerability (CVE-2026-33660)" N8n is vulnerable to a critical remote code execution flaw. Tracked as CVE-2026-33660, the vulnerability has a CVSS score of 9.4. Successful exploitation of this vulnerability may allow an authenticated attacker to execute arbitrary commands on the target system. n8n is a powerful, open-source workflow automation tool that enables users to visually design and automate complex processes by connecting various apps, APIs, and services. It functions as a digital hub, transferring data and triggering actions between tools without manual intervention, while offering deep customization through code (JavaScript/Python). Vulnerability Details An attacker must have the permission to create or modify workflows to exploit the vulnerability. An authenticated attacker could exploit the Merge node’s “Combine by SQL” mode to read local files on the n8n host, resulting in remote code execution. The AlaSQL sandbox did not sufficiently restrict certain SQL statements, allowing an attacker to access sensitive files on the server or even compromise the instance. A quick search revealed more than 615,000 publicly available targets on Fofa at the time of writing. Affected versions The vulnerability affects the following versions: N8n versions before 2.14.1 N8n versions before 2.13.3 N8n versions before 1.123.27 Mitigation Users must upgrade to the following N8n versions to patch the vulnerability: 2.14.1 2.13.3 1.123.27 For more information, please refer to the GitHub Security Advisory . Workarounds Administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only. Disable the Merge node by adding n8n-nodes-base.merge to the NODES_EXCLUDE environment variable. These workarounds do not fully mitigate the risk and should be used only as short-term mitigation measures. Qualys Detection Qualys customers can scan their devices with QID 733901 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities. References https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v