Ddos 
Security researchers have disclosed two critical vulnerabilities in n8n, the popular fair-code workflow automation platform used by technical teams to bridge the gap between low-code speed and full-code flexibility. Both flaws carry a CVSS score of 9.4, representing a severe risk of Remote Code Execution (RCE) that could allow attackers to compromise the underlying host server.
These vulnerabilities highlight a significant risk for organizations that rely on n8n to handle sensitive data and mission-critical automations.
The first critical flaw, tracked as CVE-2026-33660, involves the Merge node, a core component used to combine data from different sources. When set to its “Combine by SQL” mode, the node utilizes the AlaSQL library.
Researchers found that the AlaSQL sandbox failed to sufficiently restrict certain SQL statements. An authenticated user with permission to create or modify workflows can exploit this to:
- Read local files directly from the n8n host server.
- Achieve full RCE, potentially leading to a total instance takeover.
The second vulnerability is a classic but high-impact Prototype Pollution flaw located within the GSuiteAdmin node parameters. By supplying a specially crafted parameter during node configuration, an attacker can write unauthorized values onto the Object.prototype.
In a Node.js environment like n8n, manipulating the global object prototype is a direct path to:
- Executing arbitrary code on the server.
- Bypassing security controls by injecting attacker-controlled properties into the application’s logic.
The n8n development team has released patches for both vulnerabilities across multiple release branches. Administrators are urged to update their instances to one of the following versions immediately:
- 2.14.1
- 2.13.3
- 1.123.27
If an immediate upgrade is not possible, the following short-term measures can reduceβbut not eliminateβthe risk:
- Restrict Permissions: Limit workflow creation and editing rights exclusively to fully trusted users.
- Disable Vulnerable Nodes: Use the NODES_EXCLUDE environment variable to disable the affected nodes:
- Add n8n-nodes-base.merge to block the SQL exploit.
- Add n8n-nodes-base.xml as a mitigation for related risks.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
