| CVE ID | 标题 | 严重程度 | 情报来源 | |||
|---|---|---|---|---|---|---|
| n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling | CRITICAL | 10.0v3.1 | 5.00 | KISA | 2026. 01. 07. | |
| n8n Vulnerable to RCE via Arbitrary File Write |
CRITICAL |
| 9.9v3.1 |
4.95 |
| — |
| 2026. 01. 06. |
| CVE-2025-68668 | n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node | CRITICAL | 9.9v3.1 | 4.95 | — | 2025. 12. 26. |
| CVE-2026-44791 | n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could bypass the patch for CVE-2026-42232 in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7. | CRITICAL | 9.4v4.0 | 4.70 | — | 2026. 06. 23. |
| CVE-2026-44790 | n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's Push operation allowing an attacker to read arbitrary files from the n8n server potentially leading to full compromise. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7. | CRITICAL | 9.4v4.0 | 4.70 | — | 2026. 06. 23. |
| CVE-2026-44789 | n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7. | CRITICAL | 9.4v4.0 | 4.70 | — | 2026. 06. 23. |
| CVE-2026-54305 | n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An authenticated user with no project membership or credential sharing relationship could enumerate credential identifiers, names, and types referenced by any private workflow in the instance, initiate an OAuth auth | HIGH | 8.9v4.0 | 4.45 | — | 2026. 06. 23. |
| CVE-2026-44792 | n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name. When an administrator performed a Source Control Pull, n8n imported the file and could lead to SQL injection on the internal PostgreSQL instance. Exploitation requires the n8n instance uses PostgreSQL as its database backend, th | HIGH | 8.9v4.0 | 4.45 | — | 2026. 06. 23. |
| CVE-2026-54309 | n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocation requests without any authentication. Any network-reachable client, or any website visited by the user, can establish an MCP session and invoke browser-control tools. Where the n8n AI Browser Bridge extension is installed and a browser connection is active, an unauthenticated caller can access brows | HIGH | 8.8v4.0 | 4.40 | — | 2026. 06. 23. |
| CVE-2025-56265 | N8N's Chat Trigger component is vulnerable to XSS | HIGH | 8.8v3.1 | 4.40 | — | 2025. 09. 08. |
| CVE-2023-27563 | n8n Privilege Escalation vulnerability | HIGH | 8.8v3.1 | 4.40 | — | 2023. 05. 10. |
| CVE-2025-52478 | Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source | HIGH | 8.7v3.1 | 4.35 | — | 2025. 08. 19. |
| CVE-2026-54307 | n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, a member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access. This issue affects instances where workflow sharing is enabled and at least one workflow has been shared with a member-level user as an Editor. This vulnerability is fixed | HIGH | 8.5v4.0 | 4.25 | — | 2026. 06. 23. |
| CVE-2026-42449 | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the SDK embedder path (N8NDocumentationMCPServer constructor, getN8nApiClient(), and validateInstanceContext()), the synchronous URL validator in SSRFProtection.validateUrlSync() had no IPv6 checks. IPv4-mapped IPv6 addresses such as http://[::ffff:169.254.169.254] bypassed the cloud-metadata, localhost, and private-IP range checks. An attacker ab | HIGH | 8.5v3.1 | 4.25 | — | 2026. 05. 07. |
| CVE-2026-45732 | n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential with tokens bound to an external account they control. Workflows relying on the affected credential would subsequently | HIGH | 8.3v4.0 | 4.15 | — | 2026. 06. 23. |
| CVE-2026-56351 | n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes | — | 5.3v4.0 | 4.10 | — | 2026. 02. 26. |
| CVE-2026-45707 | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLE_MULTI_TENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that omitted those headers — or supplied only one of them — silently fell back to the process-level N8N_API_URL / N8N_API_KEY credentials configured for the operator's own n8n instance. As a result, an authenti | HIGH | 8.1v3.1 | 4.05 | — | 2026. 05. 29. |
| CVE-2023-27564 | n8n Information Disclosure vulnerability | HIGH | 7.5v3.1 | 3.75 | — | 2023. 05. 10. |
| CVE-2025-61914 | n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox | HIGH | 7.3v3.1 | 3.65 | — | 2025. 12. 26. |
| CVE-2026-54312 | n8n is an open source workflow automation platform. Prior to 2.24.0, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter. This pollutes Object.prototype process-wide for the lifetime of the n8n server process, causing application-wide validation failures and rendering the n8n instance completely non-functional until restarted. This vulnerability is fixed in 2.24 | HIGH | 7.2v4.0 | 3.60 | — | 2026. 06. 23. |