Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN122 _____________________________________________________________________ DATE : 05/02/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running n8n (npm) versions prior to 2.5.2, 1.123.17. ===================================================================== https://github.com/n8n-io/n8n/security/advisories/GHSA-9g95-qf3f-ggrw https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8 https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm https://github.com/n8n-io/n8n/security/advisories/GHSA-8398-gmmx-564h https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9 https://github.com/n8n-io/n8n/security/advisories/GHSA-qpq4-pw7f-pp8w https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m _____________________________________________________________________ OS Command Injection in Git Node Critical csuermann published GHSA-9g95-qf3f-ggrw Feb 4, 2026 Package n8n (npm) Affected versions <1.123.10, < 2.5.0 Patched versions 2.5.0, 1.123.10 Description Impact Vulnerabilities in the Git node allowed authenticated users with permission to create or modify workflows to execute arbitrary system commands or read arbitrary files on the n8n host. Patches The issue has been fixed in n8n versions 2.5.0, and 1.123.10. Users should upgrade to this version or later to remediate the vulnerability. Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only. Restrict or disable access to the Git node if not essential for operations. Deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. References n8n Documentation — Blocking nodes — how to globally disable specific nodes n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backward compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Severity Critical 9.4/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required Low User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity High Availability High Subsequent System Impact Metrics Confidentiality High Integrity High Availability High CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE ID CVE-2026-25053 Weaknesses No CWEs Credits @fatihhcelik fatihhcelik Reporter @simonkoeck simonkoeck Reporter @yadhukrishnam yadhukrishnam Reporter _____________________________________________________________________ Expression Escape Vulnerability Leading to RCE Critical csuermann published GHSA-6cqr-8cfr-67f8 Feb 4, 2026 Package n8n (npm) Affected versions <1.123.17, <2.5.2 Patched versions 1.123.17, 2.5.2 Description Impact Additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. Patches The issue has been fixed in n8n versions 1.123.17 and 2.5.2. Users should upgrade to these versions or later to remediate the vulnerability. Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only. Deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. References Best practices for securing n8n Initial vulnerability advisory: CVE-2025-68613 n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backward compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Severity Critical 9.4/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required Low User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity High Availability High Subsequent System Impact Metrics Confidentiality High Integrity High Availability High CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE ID CVE-2026-25049 Weaknesses No CWEs Credits @fatihhcelik fatihhcelik Reporter @eilonc-pillar eilonc-pillar Reporter @cristianstaicu cristianstaicu Reporter @sandeepl337 sandeepl337 Reporter @nickcopi nickcopi Reporter @joshft joshft Reporter @yadhukrishnam yadhukrishnam Reporter @doyler doyler Reporter @zolbooo zolbooo Reporter @nnfrog nnfrog Reporter _____________________________________________________________________ Arbitrary File Write leading to RCE in n8n Merge Node Critical csuermann published GHSA-hv53-3329-vmrm Feb 4, 2026 Package n8n (npm) Affected versions < 1.118.0, > 2.0.0 < 2.4.0 Patched versions 2.4.0, 1.118.0 Description Impact A vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server's filesystem potentially leading to remote code execution. Patches The issue has been fixed in n8n version 2.4.0, 1.118.0. Users should upgrade to this version or later to remediate the vulnerability. Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only. Disable or restrict use of the Merge node if not essential for operations. Review workflows for suspicious use of the Merge node's SQL Query mode. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. References n8n Documentation — Blocking nodes — how to globally disable specific nodes n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Severity Critical 9.4/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required Low User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity High Availability High Subsequent System Impact Metrics Confidentiality High Integrity High Availability High CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE ID CVE-2026-25056 Weaknesses Weakness CWE-434 Weakness CWE-693 Credits @nlgbao1340 nlgbao1340 Reporter _____________________________________________________________________ Python sandbox escape Critical csuermann published GHSA-8398-gmmx-564h Feb 4, 2026 Package n8n (npm) Affected versions < 2.4.8 Patched versions 2.4.8 Description Impact A vulnerability in the Python Code node allows authenticated users to break out of the Python sandbox environment and execute code outside the intended security boundary. Only authenticated users are able to execute code through Task Runners. This issue affected any deployment in which the following conditions were met: Task Runners were enabled using N8N_RUNNERS_ENABLED=true (default: false) Python was enabled N8N_PYTHON_ENABLED=true Code Node was enabled (default: true) In case the N8N_RUNNERS_MODE is set to external (default: internal) the sandbox escape is limited to the sidecar container with lower risk for lateral movement. In that case a lower high severity is more appropriate. Patches This vulnerability is fixed in version 2.4.8 and later. Workarounds If an immediate upgrade cannot be applied, the following hardening steps are recommended: Disable the Code Node by adding n8n-nodes-base.code to the NODES_EXCLUDE environment variable Prefer external mode for isolation: run Task Runners in external mode so that untrusted task code executes in a separate sidecar container rather than within the main n8n process. This configuration significantly reduces the risk of in-process memory disclosure caused by unsafe buffer allocations.In external mode, a launcher manages Task Runner processes in a dedicated sidecar environment, separate from the primary n8n instance. See the [n8n documentation](https://docs.n8n.io/hosting/configuration/task-runne rs/) for configuration details and required environment variables. References n8n Documentation — Task Runners — external mode, setup guide, and environment configuration details n8n Documentation — Blocking nodes — how to globally disable specific nodes n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backward compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Severity Critical 9.4/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required Low User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity High Availability High Subsequent System Impact Metrics Confidentiality High Integrity High Availability High CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE ID CVE-2026-25115 Weaknesses Weakness CWE-693 Credits @MarcoPoloPie MarcoPoloPie Reporter @c0rydoras c0rydoras Reporter _____________________________________________________________________ Arbitrary File Write on Remote Systems via SSH Node High csuermann published GHSA-m82q-59gv-mcr9 Feb 4, 2026 Package n8n (npm) Affected versions <2.2.3 Patched versions 2.4.0, 1.123.12 Description Impact When workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. Patches The issue has been fixed in n8n version 2.4.0 and 1.123.12. Users should upgrade to this version or later to remediate the vulnerability. Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable or restrict access to workflows that accept file uploads via webhooks and transfer them via SSH. Enable webhook authentication on all endpoints that handle file uploads. Review usage of SSH credentials and consider rotating SSH credentials if in doubt. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. References n8n Documentation — Blocking nodes — how to globally disable specific nodes n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Severity High 7.1/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements Present Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability None Subsequent System Impact Metrics Confidentiality High Integrity High Availability High CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVE ID CVE-2026-25055 Weaknesses Weakness CWE-22 Credits @nkoorty nkoorty Reporter @jjjutla jjjutla Reporter _____________________________________________________________________ Stored Cross-Site Scripting via Markdown Rendering in Workflow UI High csuermann published GHSA-qpq4-pw7f-pp8w Feb 4, 2026 Package n8n (npm) Affected versions <2.2.0 Patched versions 2.2.1, 1.123.9 Description Impact A Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n's interface, including workflow sticky notes and other areas that support markdown content. An authenticated user with permission to create or modify workflows could abuse this to execute scripts with same-origin privileges when other users interact with a maliciously crafted workflow. This could lead to session hijacking and account takeover. Patches The issue has been fixed in n8n versions 2.2.1 and 1.123.9. Users should upgrade to these versions or later to remediate the vulnerability. Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only. Review existing workflows for potentially malicious markdown content in sticky notes and other components. Educate users about the risks of opening workflows from untrusted sources. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backward compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Severity High 8.5/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required Low User interaction Passive Vulnerable System Impact Metrics Confidentiality High Integrity High Availability None Subsequent System Impact Metrics Confidentiality None Integrity None Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVE ID CVE-2026-25054 Weaknesses Weakness CWE-80 Credits @MyLong MyLong Reporter _____________________________________________________________________ Command Injection in Community Package Installation Low csuermann published GHSA-7c4h-vh2m-743m Feb 4, 2026 Package n8n (npm) Affected versions >= 0.187.0 <1.120.3 Patched versions 1.120.3 Description Impact A command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. Important context Exploitation requires administrative access to the n8n instance. The affected functionality is restricted to trusted users who are already permitted to install third-party community packages. No unauthenticated or low-privilege exploitation is possible. There is no evidence of exploitation in the wild. Because administrative users can already extend n8n with custom or community code, the vulnerability does not meaningfully expand the threat model beyond existing administrator capabilities. However, it represents a violation of secure coding practices and has therefore been addressed. Patches Users are advised to upgrade to n8n version 1.120.3 or later, which fully resolves the issue. As a general security best practice, n8n instance owners should ensure that: Administrative access is limited to trusted users only. Community packages are installed only from trusted sources. Instances are kept up to date with the latest security releases. Severity Low CVE ID CVE-2026-21893 Weaknesses Weakness CWE-20 Weakness CWE-78 Credits @berkdedekarginoglu berkdedekarginoglu Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================