If you discover a (suspected) security vulnerability, please report it through our Vulnerability Disclosure Program.
Security: n8n-io/n8n
Security
SECURITY.md
-
Arbitrary File Write leading to RCE in n8n Merge NodeGHSA-hv53-3329-vmrm published
Feb 4, 2026 by csuermannCritical -
Arbitrary File Write on Remote Systems via SSH NodeGHSA-m82q-59gv-mcr9 published
Feb 4, 2026 by csuermannHigh -
Stored Cross-Site Scripting via Markdown Rendering in Workflow UIGHSA-qpq4-pw7f-pp8w published
Feb 4, 2026 by csuermannHigh -
Expression Escape Vulnerability Leading to RCEGHSA-6cqr-8cfr-67f8 published
Feb 4, 2026 by csuermannCritical -
Command Injection in Community Package InstallationGHSA-7c4h-vh2m-743m published
Feb 4, 2026 by csuermannLow -
OS Command Injection in Git NodeGHSA-9g95-qf3f-ggrw published
Feb 4, 2026 by csuermannCritical -
Missing Stripe-Signature Verification Allows Unauthenticated Forged WebhooksGHSA-jf52-3f2h-h9j5 published
Jan 7, 2026 by csuermannModerate -
IP Whitelist Bypass via Partial String MatchingGHSA-w96v-gf22-crwp published
Jan 13, 2026 by csuermannModerate -
Legacy Code node enables file read/write in self-hosted n8nGHSA-j4p8-h8mh-rh8q published
Dec 24, 2025 by csuermannHigh -
Arbitrary Command Execution in Pyodide based Python Code NodeGHSA-62r4-hw23-cc8v published
Dec 24, 2025 by csuermannCritical
Learn more about advisories related to n8n-io/n8n in the GitHub Advisory Database