Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN345 _____________________________________________________________________ DATE : 30/03/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running n8n (npm) versions prior to 2.14.1, 2.13.3, 1.123.27. ===================================================================== https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v https://github.com/n8n-io/n8n/security/advisories/GHSA-mxrg-77hm-89hv https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35 https://github.com/n8n-io/n8n/security/advisories/GHSA-qfc3-hm4j-7q77 _____________________________________________________________________ RCE via SQL Mode of Merge Node Critical Jubke published GHSA-58qr-rcgv-642v Mar 25, 2026 Package n8n (npm) Affected versions < 2.14.1 < 2.13.3 < 1.123.27 Patched versions >= 2.14.1 >= 2.13.3 >= 1.123.27 Description Impact An authenticated user with permission to create or modify workflows could use the Merge node's "Combine by SQL" mode to read local files on the n8n host and achieve remote code execution. The AlaSQL sandbox did not sufficiently restrict certain SQL statements, allowing an attacker to access sensitive files on the server or even compromise the intance. Patches The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only. Disable the Merge node by adding n8n-nodes-base.merge to the NODES_EXCLUDE environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Severity Critical 9.4/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required Low User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity High Availability High Subsequent System Impact Metrics Confidentiality High Integrity High Availability High CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE ID CVE-2026-33660 Weaknesses Weakness CWE-94 Credits @duddnr0615k duddnr0615k Reporter @simonkoeck simonkoeck Reporter @c0rydoras c0rydoras Reporter @nil340 nil340 Reporter _____________________________________________________________________ Prototype Pollution in GSuiteAdmin node parameters leads to RCE Critical Jubke published GHSA-mxrg-77hm-89hv Mar 25, 2026 Package n8n (npm) Affected versions < 2.14.1 < 2.13.3 < 1.123.27 Patched versions >= 2.14.1 >= 2.13.3 >= 1.123.27 Description Impact An authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the GSuiteAdmin node. By supplying a crafted parameter as part of node configuration, an attacker could write attacker-controlled values onto Object.prototype. An attacker could use this prototype pollution to achieve remote code execution on the n8n instance. Patches The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only. Disable the XML node by adding n8n-nodes-base.xml to the NODES_EXCLUDE environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Severity Critical 9.4/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required Low User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity High Availability High Subsequent System Impact Metrics Confidentiality High Integrity High Availability High CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE ID CVE-2026-33696 Weaknesses Weakness CWE-1321 Credits @simonkoeck simonkoeck Reporter _____________________________________________________________________ Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition High Jubke published GHSA-m63j-689w-3j35 Mar 25, 2026 Package n8n (npm) Affected versions < 1.123.27 < 2.14.1 < 2.13.3 Patched versions >= 1.123.27 >= 2.14.1 >= 2.13.3 Description Impact An authenticated user with the global:member role could exploit chained authorization flaws in n8n's credential pipeline to steal plaintext secrets from generic HTTP credentials (httpBasicAuth, httpHeaderAuth, httpQueryAuth) belonging to other users on the same instance. The attack abuses a name-based credential resolution path that does not enforce ownership or project scope, combined with a bypass in the credentials permission checker that causes generic HTTP credential types to be skipped during pre-execution validation. Together, these flaws allow a member-role user to resolve another user's credential ID and execute a workflow that decrypts and uses that credential without authorization. Native integration credential types (e.g. slackApi, openAiApi, postgres) are not affected by this issue. This vulnerability affects Community Edition only. Enterprise Edition has additional permission gates on workflow creation and execution that independently block this attack chain. Patches The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict instance access to fully trusted users only. Audit credentials stored on the instance and rotate any generic HTTP credentials (httpBasicAuth, httpHeaderAuth, httpQueryAuth) that may have been exposed. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Severity High 8.5/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required Low User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity None Availability None Subsequent System Impact Metrics Confidentiality High Integrity High Availability High CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H CVE ID CVE-2026-33663 Weaknesses Weakness CWE-639 Credits @tr4ce-ju tr4ce-ju Reporter _____________________________________________________________________ XSS via Binary Data Inline HTML Rendering Moderate Jubke published GHSA-qfc3-hm4j-7q77 Mar 25, 2026 Package n8n (npm) Affected versions < 1.123.27 < 2.14.1 < 2.13.3 Patched versions >= 1.123.27 >= 2.14.1 >= 2.13.3 Description Impact An authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The /rest/binary-data endpoint served such responses inline on the n8n origin without Content-Disposition or Content-Security-Policy headers, allowing the HTML to render in the browser with full same-origin JavaScript access. By sending the resulting URL to a higher-privileged user, an attacker could execute JavaScript in the victim's authenticated session, enabling exfiltration of workflows and credentials, modification of workflows, or privilege escalation to admin. Patches The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only. Restrict network access to the n8n instance to prevent untrusted users from accessing binary data URLs. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L Severity Moderate 6.3/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required Low User interaction Active Vulnerable System Impact Metrics Confidentiality Low Integrity Low Availability None Subsequent System Impact Metrics Confidentiality High Integrity High Availability High CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H* CVE ID CVE-2026-33749 Weaknesses Weakness CWE-79 Credits @simonkoeck simonkoeck Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================