• Home
  • cyber
  • n8n: Critical n8n Vulnerability Let Attackers Achieve Remote Code Execution
cyber Vulnerability

n8n: Critical n8n Vulnerability Let Attackers Achieve Remote Code Execution

Mar 30, 2026 2 min read
n8n: Critical n8n Vulnerability Let Attackers Achieve Remote Code Execution

Critical RCE Vulnerability in n8n Workflow Automation Platform Exposes Servers to Attack

A severe security flaw in n8n, a popular open-source workflow automation tool, has been identified as CVE-2026-33660, enabling Remote Code Execution (RCE) attacks on host servers. The vulnerability, rated critical under both CVSS 3.1 and 4.0, allows authenticated threat actors to bypass security controls, access sensitive data, and fully compromise the underlying system.

The issue stems from the "Merge" node in n8n workflows when "Combine by SQL" mode is enabled. The platform uses an AlaSQL sandbox to execute SQL operations, but researchers found that the sandbox fails to properly restrict certain SQL statements. Due to improper input validation (CWE-94: Code Injection), attackers can inject malicious instructions, leading to sandbox escape and local file read access on the host.

Exploitation requires only low-level privileges, such as the ability to create or modify workflows, with no user interaction needed. Once compromised, attackers can escalate the attack to execute arbitrary code, gaining full administrative control over the server. The vulnerability poses a high risk to enterprise automation environments, as it threatens confidentiality, integrity, and availability of affected systems.

The n8n development team has released patches to address the flaw. Organizations are advised to update their instances immediately to mitigate risk. For those unable to patch immediately, temporary workarounds include:

  • Restricting workflow creation/modification permissions to trusted personnel.
  • Disabling the vulnerable component by adding n8n-nodes-base.merge to the NODES_EXCLUDE environment variable.

However, n8n emphasizes that only the official patches provide permanent remediation. The vulnerability underscores the importance of timely updates in securing automation platforms against evolving threats.

Source: https://cybersecuritynews.com/n8n-vulnerability/

n8n cybersecurity rating report: https://www.rankiteo.com/company/n8n

"id": "N8N1774873530",
"linkid": "n8n",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Workflow Automation',
                        'name': 'n8n',
                        'type': 'Software/Platform'}],
 'attack_vector': 'Authenticated workflow modification',
 'data_breach': {'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Sensitive data'},
 'description': 'A severe security flaw in n8n, a popular open-source workflow '
                'automation tool, has been identified as CVE-2026-33660, '
                'enabling Remote Code Execution (RCE) attacks on host servers. '
                'The vulnerability allows authenticated threat actors to '
                'bypass security controls, access sensitive data, and fully '
                'compromise the underlying system. The issue stems from the '
                "'Merge' node in n8n workflows when 'Combine by SQL' mode is "
                'enabled, leading to sandbox escape and local file read access '
                'due to improper input validation.',
 'impact': {'data_compromised': 'Sensitive data access',
            'operational_impact': 'Full administrative control over the '
                                  'server, compromise of confidentiality, '
                                  'integrity, and availability',
            'systems_affected': 'n8n workflow automation platform servers'},
 'post_incident_analysis': {'corrective_actions': 'Patches released to fix the '
                                                  'vulnerability, temporary '
                                                  'workarounds provided for '
                                                  'unpatched systems',
                            'root_causes': 'Improper input validation in the '
                                           "'Merge' node's 'Combine by SQL' "
                                           'mode, leading to sandbox escape '
                                           'and code injection'},
 'recommendations': 'Update n8n instances immediately to the latest patched '
                    'version. If unable to patch, restrict workflow '
                    'permissions or disable the vulnerable component.',
 'references': [{'source': 'CVE Details'}],
 'response': {'containment_measures': 'Restricting workflow '
                                      'creation/modification permissions to '
                                      'trusted personnel, disabling the '
                                      'vulnerable component by adding '
                                      '`n8n-nodes-base.merge` to the '
                                      '`NODES_EXCLUDE` environment variable',
              'remediation_measures': 'Official patches released by n8n '
                                      'development team'},
 'title': 'Critical RCE Vulnerability in n8n Workflow Automation Platform '
          'Exposes Servers to Attack',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2026-33660 (Improper input validation, '
                            'CWE-94: Code Injection)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.