Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN622 _____________________________________________________________________ DATE : 11/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running n8n (npm) versions prior to 1.123.55, 2.26.2, 2.25.7. ===================================================================== https://github.com/n8n-io/n8n/security/advisories/GHSA-2j5h-858j-5mpf https://github.com/n8n-io/n8n/security/advisories/GHSA-qrx8-25qr-5r7v https://github.com/n8n-io/n8n/security/advisories/GHSA-2j5h-858j-5mpf https://github.com/n8n-io/n8n/security/advisories/GHSA-pmqw-72cg-wx85 https://github.com/n8n-io/n8n/security/advisories/GHSA-664h-gpgq-h6xx https://github.com/n8n-io/n8n/security/advisories/GHSA-jqpw-qww5-cj4c _____________________________________________________________________ Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints High Jubke published GHSA-2j5h-858j-5mpf Jun 10, 2026 Package n8n (npm) Affected versions < 1.123.55 < 2.26.2 < 2.25.7 Patched versions >= 1.123.55 >= 2.26.2 >= 2.25.7 Description Impact Three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An authenticated user with no project membership or credential sharing relationship could enumerate credential identifiers, names, and types referenced by any private workflow in the instance, initiate an OAuth authorization flow against another user's credential to overwrite its stored tokens with tokens bound to an account they control, or revoke another user's stored credential tokens entirely. Workflows relying on a hijacked credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of integrations. Token revocation would break affected workflows. This issue only affects Enterprise instances where the Dynamic Credentials feature is enabled. Patches The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict n8n instance access to fully trusted users only. If the Dynamic Credentials feature is not actively required, disable it by unsetting N8N_ENV_FEAT_DYNAMIC_CREDENTIALS. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L Severity High 8.9/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements Present Privileges Required Low User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity High Availability Low Subsequent System Impact Metrics Confidentiality High Integrity High Availability Low CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L CVE ID No known CVE Weaknesses No CWEs Credits @Solidscripting Solidscripting Reporter _____________________________________________________________________ n8n MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions High Jubke published GHSA-qrx8-25qr-5r7v Jun 10, 2026 Package n8n (npm) Affected versions < 2.26.2 < 2.25.7 Patched versions >= 2.26.2 >= 2.25.7 Description Impact When @n8n/mcp-browser is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocation requests without any authentication. Any network-reachable client, or any website visited by the user, can establish an MCP session and invoke browser-control tools. Where the n8n AI Browser Bridge extension is installed and a browser connection is active, an unauthenticated caller can access browser-control capabilities including navigation, JavaScript evaluation, and cookie and storage access against the user's real browser profile. This issue only affects instances where @n8n/mcp-browser is run with the HTTP transport (--transport http). The default transport is stdio, which is not affected. Patches The issue has been fixed in n8n versions 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Avoid running @n8n/mcp-browser with the HTTP transport; use the default stdio transport instead. If HTTP transport is required, restrict network access to the listening port to trusted clients only using host-based firewall rules. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Severity High 8.8/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality Low Integrity High Availability Low Subsequent System Impact Metrics Confidentiality None Integrity None Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N CVE ID No known CVE Weaknesses No CWEs Credits @ESPanda666 ESPanda666 Reporter _____________________________________________________________________ Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints High Jubke published GHSA-2j5h-858j-5mpf Jun 10, 2026 Package n8n (npm) Affected versions < 1.123.55 < 2.26.2 < 2.25.7 Patched versions >= 1.123.55 >= 2.26.2 >= 2.25.7 Description Impact Three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An authenticated user with no project membership or credential sharing relationship could enumerate credential identifiers, names, and types referenced by any private workflow in the instance, initiate an OAuth authorization flow against another user's credential to overwrite its stored tokens with tokens bound to an account they control, or revoke another user's stored credential tokens entirely. Workflows relying on a hijacked credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of integrations. Token revocation would break affected workflows. This issue only affects Enterprise instances where the Dynamic Credentials feature is enabled. Patches The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict n8n instance access to fully trusted users only. If the Dynamic Credentials feature is not actively required, disable it by unsetting N8N_ENV_FEAT_DYNAMIC_CREDENTIALS. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L Severity High 8.9/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements Present Privileges Required Low User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity High Availability Low Subsequent System Impact Metrics Confidentiality High Integrity High Availability Low CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L CVE ID No known CVE Weaknesses No CWEs Credits @Solidscripting Solidscripting Reporter _____________________________________________________________________ Credential Exfiltration via Permission Bypass High Jubke published GHSA-pmqw-72cg-wx85 Jun 10, 2026 Package n8n (npm) Affected versions < 1.123.55 < 2.26.2 < 2.25.7 Patched versions >= 1.123.55 >= 2.26.2 >= 2.25.7 Description Impact A member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access. This issue affects instances where workflow sharing is enabled and at least one workflow has been shared with a member-level user as an Editor. Patches The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict workflow sharing to fully trusted users only. Audit shared workflows for unexpected credential references or recent modifications. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N Credits: Momen Elkhouli Severity High 8.5/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required Low User interaction None Vulnerable System Impact Metrics Confidentiality High Integrity None Availability None Subsequent System Impact Metrics Confidentiality High Integrity High Availability Low CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:L CVE ID No known CVE Weaknesses No CWEs _____________________________________________________________________ Wrong OAuth Scope on Evaluation Test Runs Endpoints Moderate Jubke published GHSA-664h-gpgq-h6xx Jun 10, 2026 Package n8n (npm) Affected versions < 1.123.55 < 2.26.2 < 2.25.7 Patched versions >= 1.123.55 >= 2.26.2 >= 2.25.7 Description Impact Three mutating endpoints in the evaluation test runs controller authorized state-changing actions using workflow:read instead of the action-appropriate workflow:execute scope. An authenticated user with project:viewer role on a project could start new evaluation test runs, cancel in-flight runs, and delete run records for workflows they only had read access to. This issue only affects instances with Advanced Permissions (Enterprise/Cloud) where projects and viewer roles are in use. Patches The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict project membership to fully trusted users only. Avoid granting viewer access to projects containing sensitive workflows. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Severity Moderate 5.3/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required Low User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity Low Availability Low Subsequent System Impact Metrics Confidentiality None Integrity Low Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N CVE ID No known CVE Weaknesses No CWEs Credits @YLChen-007 YLChen-007 Reporter _____________________________________________________________________ Denial of Service via ZIP decompression in webhook workflow Moderate Jubke published GHSA-jqpw-qww5-cj4c Jun 10, 2026 Package n8n (npm) Affected versions < 2.24.0 Patched versions >= 2.24.0 Description Impact The Compression node's Decompress operation expanded attacker-controlled archives into memory without enforcing limits on decompressed output size. An unauthenticated attacker could send a small compressed archive to a public webhook workflow using this node, causing the n8n process to terminate due to memory exhaustion and disrupting all workflows in the same instance. Patches The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later to remediate the vulnerability. The fix introduces configurable limits on decompressed output size (N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES) and ZIP entry count (N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES). Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable the Compression node by adding n8n-nodes-base.compression to the NODES_EXCLUDE environment variable. Restrict public webhook workflows that accept archive file uploads to authenticated endpoints only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures. n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility. CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Severity Moderate 6.3/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements Present Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability Low Subsequent System Impact Metrics Confidentiality None Integrity None Availability None CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE ID No known CVE Weaknesses No CWEs ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================