Skip to content

Commit 6c426a9

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-43v7-fp2v-68f6 GHSA-fh3m-562m-w4f6 GHSA-fxcw-h3qj-8m8p
1 parent 92f2c5b commit 6c426a9

3 files changed

Lines changed: 180 additions & 6 deletions

File tree

advisories/github-reviewed/2026/03/GHSA-43v7-fp2v-68f6/GHSA-43v7-fp2v-68f6.json

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-43v7-fp2v-68f6",
4+
"modified": "2026-03-25T22:06:10Z",
5+
"published": "2026-03-25T22:06:10Z",
6+
"aliases": [
7+
"CVE-2026-33724"
8+
],
9+
"summary": "n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no",
10+
"details": "## Impact\nWhen the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the n8n instance and the remote Git server could intercept the connection and present a fraudulent host key, potentially injecting malicious content into workflows or intercepting repository data.\n\n- This issue only affects instances where the Source Control feature has been explicitly enabled and configured to use SSH (non-default).\n\n## Patches\nThe issue has been fixed in n8n version 2.5.0. Users should upgrade to this version or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Disable the Source Control feature if it is not actively required.\n- Restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
15+
},
16+
{
17+
"type": "CVSS_V4",
18+
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "npm",
25+
"name": "n8n"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "0"
33+
},
34+
{
35+
"fixed": "2.5.0"
36+
}
37+
]
38+
}
39+
]
40+
}
41+
],
42+
"references": [
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-43v7-fp2v-68f6"
46+
},
47+
{
48+
"type": "ADVISORY",
49+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33724"
50+
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/n8n-io/n8n"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-639"
59+
],
60+
"severity": "MODERATE",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-03-25T22:06:10Z",
63+
"nvd_published_at": "2026-03-25T19:16:51Z"
64+
}
65+
}

advisories/unreviewed/2026/03/GHSA-fh3m-562m-w4f6/GHSA-fh3m-562m-w4f6.json renamed to advisories/github-reviewed/2026/03/GHSA-fh3m-562m-w4f6/GHSA-fh3m-562m-w4f6.json

Lines changed: 31 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,49 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-fh3m-562m-w4f6",
4-
"modified": "2026-03-24T15:30:26Z",
4+
"modified": "2026-03-25T22:05:11Z",
55
"published": "2026-03-23T18:30:31Z",
66
"aliases": [
77
"CVE-2026-24516"
88
],
9-
"details": "A command injection vulnerability exists in DigitalOcean Droplet Agent through 1.3.2. The troubleshooting actioner component (internal/troubleshooting/actioner/actioner.go) processes metadata from the metadata service endpoint and executes commands specified in the TroubleshootingAgent.Requesting array without adequate input validation. While the code validates that artifacts exist in the validInvestigationArtifacts map, it fails to sanitize the actual command content after the \"command:\" prefix. This allows an attacker who can control metadata responses to inject and execute arbitrary OS commands with root privileges. The attack is triggered by sending a TCP packet with specific sequence numbers to the SSH port, which causes the agent to fetch metadata from http://169.254.169.254/metadata/v1.json. The vulnerability affects the command execution flow in internal/troubleshooting/actioner/actioner.go (insufficient validation), internal/troubleshooting/command/exec.go (direct exec.CommandContext call), and internal/troubleshooting/command/command.go (command parsing without sanitization). This can lead to complete system compromise, data exfiltration, privilege escalation, and potential lateral movement across cloud infrastructure.",
9+
"summary": "DigitalOcean Droplet Agent: Command Injection via Metadata Service Endpoint",
10+
"details": "A command injection vulnerability exists in DigitalOcean Droplet Agent through 1.3.2. The troubleshooting actioner component (internal/troubleshooting/actioner/actioner.go) processes metadata from the metadata service endpoint and executes commands specified in the TroubleshootingAgent.Requesting array without adequate input validation. While the code validates that artifacts exist in the validInvestigationArtifacts map, it fails to sanitize the actual command content after the \"command:\" prefix. This allows an attacker who can control metadata responses to inject and execute arbitrary OS commands with root privileges. The attack is triggered by sending a TCP packet with specific sequence numbers to the SSH port, which causes the agent to fetch metadata from http://169.254.169.254/metadata/v1.json. \n\nThe vulnerability affects the command execution flow in internal/troubleshooting/actioner/actioner.go (insufficient validation), internal/troubleshooting/command/exec.go (direct exec.CommandContext call), and internal/troubleshooting/command/command.go (command parsing without sanitization). This can lead to complete system compromise, data exfiltration, privilege escalation, and potential lateral movement across cloud infrastructure.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/digitalocean/droplet-agent"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "0.0.0-20260107162243-1101ffcb5672"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
2041
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24516"
2142
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/digitalocean/droplet-agent"
46+
},
2247
{
2348
"type": "WEB",
2449
"url": "https://github.com/digitalocean/droplet-agent/blob/main/internal/troubleshooting/actioner/actioner.go"
@@ -38,11 +63,11 @@
3863
],
3964
"database_specific": {
4065
"cwe_ids": [
41-
"CWE-94"
66+
"CWE-77"
4267
],
4368
"severity": "HIGH",
44-
"github_reviewed": false,
45-
"github_reviewed_at": null,
69+
"github_reviewed": true,
70+
"github_reviewed_at": "2026-03-25T22:05:11Z",
4671
"nvd_published_at": "2026-03-23T17:16:37Z"
4772
}
4873
}

advisories/github-reviewed/2026/03/GHSA-fxcw-h3qj-8m8p/GHSA-fxcw-h3qj-8m8p.json

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-fxcw-h3qj-8m8p",
4+
"modified": "2026-03-25T22:05:44Z",
5+
"published": "2026-03-25T22:05:44Z",
6+
"aliases": [
7+
"CVE-2026-33722"
8+
],
9+
"summary": "n8n Has External Secrets Authorization Bypass in Credential Saving",
10+
"details": "## Impact\nAn authenticated user without permission to list external secrets could reference a secret by the external name in a credential and retrieve its plaintext value when saving the credential. This bypassed the `externalSecret:list` permission check and allowed access to secrets stored in connected vaults without admin or owner privileges.\n\n- This issue requires the instance to have an external secrets vault configured.\n- The attacker must know or be able to guess the name of a target secret.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Restrict n8n access to fully trusted users only.\n- Disable external secrets integration until the patch can be applied.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"
15+
},
16+
{
17+
"type": "CVSS_V4",
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "npm",
25+
"name": "n8n"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "0"
33+
},
34+
{
35+
"fixed": "1.123.23"
36+
}
37+
]
38+
}
39+
]
40+
},
41+
{
42+
"package": {
43+
"ecosystem": "npm",
44+
"name": "n8n"
45+
},
46+
"ranges": [
47+
{
48+
"type": "ECOSYSTEM",
49+
"events": [
50+
{
51+
"introduced": "2.0.0-rc.0"
52+
},
53+
{
54+
"fixed": "2.6.4"
55+
}
56+
]
57+
}
58+
]
59+
}
60+
],
61+
"references": [
62+
{
63+
"type": "WEB",
64+
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-fxcw-h3qj-8m8p"
65+
},
66+
{
67+
"type": "ADVISORY",
68+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33722"
69+
},
70+
{
71+
"type": "PACKAGE",
72+
"url": "https://github.com/n8n-io/n8n"
73+
}
74+
],
75+
"database_specific": {
76+
"cwe_ids": [
77+
"CWE-863"
78+
],
79+
"severity": "HIGH",
80+
"github_reviewed": true,
81+
"github_reviewed_at": "2026-03-25T22:05:44Z",
82+
"nvd_published_at": "2026-03-25T19:16:51Z"
83+
}
84+
}

0 commit comments

Comments
 (0)