n8n Support & Health

GHSA-2p9h-rqjw-gm92 CVSS_V3

n8n Vulnerable to Stored XSS via Various Nodes

Published: 2026-02-25 Fixed in: 1.123.22

GHSA-2xcx-75h9-vr9h CVSS_V4

n8n's domain allowlist bypass enables credential exfiltration

Published: 2026-02-04 Fixed in: 1.121.0

GHSA-364x-8g5j-x2pr CVSS_V3

n8n has XSS in its Credential Management Flow

Published: 2026-03-27 Fixed in: 2.8.0

GHSA-365g-vjw2-grx8 CVSS_V3

n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host

Published: 2025-10-09 No fix available

GHSA-38c7-23hj-2wgq CVSS_V3

n8n has Webhook Forgery on Zendesk Trigger Node

Published: 2026-02-26 Fixed in: 1.123.18

GHSA-3c7f-5hgj-h279 CVSS_V3

n8n has XSS in Chat Trigger Node through Custom CSS

Published: 2026-03-27 Fixed in: 1.123.27

GHSA-43v7-fp2v-68f6 CVSS_V3

n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no

Published: 2026-03-25 Fixed in: 2.5.0

GHSA-44v6-jhgm-p3m4 CVSS_V3

n8n has a Python Task Runner Sandbox Escape Vulnerability

Published: 2026-04-29 Fixed in: 1.123.32

GHSA-49m9-pgww-9vq6 CVSS_V3

n8n Vulnerable to Unauthenticated Denial of Service via MCP Client Registration

Published: 2026-04-29 Fixed in: 1.123.32

GHSA-49mx-fj45-q3p6 CVSS_V3

n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner

Published: 2026-02-04 Fixed in: 1.114.3

n8n