Skip to content

Commit 77dd6d8

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-58qr-rcgv-642v GHSA-c545-x2rh-82fc GHSA-m63j-689w-3j35
1 parent 72c6e4b commit 77dd6d8

3 files changed

Lines changed: 296 additions & 0 deletions

File tree

advisories/github-reviewed/2026/03/GHSA-58qr-rcgv-642v/GHSA-58qr-rcgv-642v.json

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-58qr-rcgv-642v",
4+
"modified": "2026-03-25T21:07:45Z",
5+
"published": "2026-03-25T21:07:45Z",
6+
"aliases": [
7+
"CVE-2026-33660"
8+
],
9+
"summary": "n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode",
10+
"details": "## Impact\nAn authenticated user with permission to create or modify workflows could use the Merge node's \"Combine by SQL\" mode to read local files on the n8n host and achieve remote code execution. The AlaSQL sandbox did not sufficiently restrict certain SQL statements, allowing an attacker to access sensitive files on the server or even compromise the intance.\n\n## Patches\nThe issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
15+
},
16+
{
17+
"type": "CVSS_V4",
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "npm",
25+
"name": "n8n"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "2.14.0"
33+
},
34+
{
35+
"fixed": "2.14.1"
36+
}
37+
]
38+
}
39+
],
40+
"versions": [
41+
"2.14.0"
42+
]
43+
},
44+
{
45+
"package": {
46+
"ecosystem": "npm",
47+
"name": "n8n"
48+
},
49+
"ranges": [
50+
{
51+
"type": "ECOSYSTEM",
52+
"events": [
53+
{
54+
"introduced": "2.0.0-rc.0"
55+
},
56+
{
57+
"fixed": "2.13.3"
58+
}
59+
]
60+
}
61+
]
62+
},
63+
{
64+
"package": {
65+
"ecosystem": "npm",
66+
"name": "n8n"
67+
},
68+
"ranges": [
69+
{
70+
"type": "ECOSYSTEM",
71+
"events": [
72+
{
73+
"introduced": "0"
74+
},
75+
{
76+
"fixed": "1.123.27"
77+
}
78+
]
79+
}
80+
]
81+
}
82+
],
83+
"references": [
84+
{
85+
"type": "WEB",
86+
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v"
87+
},
88+
{
89+
"type": "ADVISORY",
90+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33660"
91+
},
92+
{
93+
"type": "PACKAGE",
94+
"url": "https://github.com/n8n-io/n8n"
95+
}
96+
],
97+
"database_specific": {
98+
"cwe_ids": [
99+
"CWE-94"
100+
],
101+
"severity": "CRITICAL",
102+
"github_reviewed": true,
103+
"github_reviewed_at": "2026-03-25T21:07:45Z",
104+
"nvd_published_at": "2026-03-25T18:16:32Z"
105+
}
106+
}

advisories/github-reviewed/2026/03/GHSA-c545-x2rh-82fc/GHSA-c545-x2rh-82fc.json

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-c545-x2rh-82fc",
4+
"modified": "2026-03-25T21:09:13Z",
5+
"published": "2026-03-25T21:09:13Z",
6+
"aliases": [
7+
"CVE-2026-33665"
8+
],
9+
"summary": "n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover",
10+
"details": "## Impact\nWhen LDAP authentication is enabled, n8n automatically linked an LDAP identity to an existing local account if the LDAP email attribute matched the local account's email. An authenticated LDAP user who could control their own LDAP email attribute could set it to match another user's email — including an administrator's — and upon login gain full access to that account. The account linkage persisted even if the LDAP email was later reverted, resulting in a permanent account takeover.\n\n- LDAP authentication must be configured and active (non-default).\n\n## Patches\nThe issue has been fixed in n8n versions 2.4.0 and 1.121.0. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Disable LDAP authentication until the instance can be upgraded.\n- Restrict LDAP directory permissions so that users cannot modify their own email attributes.\n- Audit existing LDAP-linked accounts for unexpected account associations.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"
15+
},
16+
{
17+
"type": "CVSS_V4",
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "npm",
25+
"name": "n8n"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "2.0.0-rc.0"
33+
},
34+
{
35+
"fixed": "2.4.0"
36+
}
37+
]
38+
}
39+
]
40+
},
41+
{
42+
"package": {
43+
"ecosystem": "npm",
44+
"name": "n8n"
45+
},
46+
"ranges": [
47+
{
48+
"type": "ECOSYSTEM",
49+
"events": [
50+
{
51+
"introduced": "0"
52+
},
53+
{
54+
"fixed": "1.121.0"
55+
}
56+
]
57+
}
58+
]
59+
}
60+
],
61+
"references": [
62+
{
63+
"type": "WEB",
64+
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-c545-x2rh-82fc"
65+
},
66+
{
67+
"type": "ADVISORY",
68+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33665"
69+
},
70+
{
71+
"type": "PACKAGE",
72+
"url": "https://github.com/n8n-io/n8n"
73+
}
74+
],
75+
"database_specific": {
76+
"cwe_ids": [
77+
"CWE-287"
78+
],
79+
"severity": "HIGH",
80+
"github_reviewed": true,
81+
"github_reviewed_at": "2026-03-25T21:09:13Z",
82+
"nvd_published_at": "2026-03-25T18:16:32Z"
83+
}
84+
}

advisories/github-reviewed/2026/03/GHSA-m63j-689w-3j35/GHSA-m63j-689w-3j35.json

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-m63j-689w-3j35",
4+
"modified": "2026-03-25T21:08:33Z",
5+
"published": "2026-03-25T21:08:33Z",
6+
"aliases": [
7+
"CVE-2026-33663"
8+
],
9+
"summary": "n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition",
10+
"details": "## Impact\nAn authenticated user with the `global:member` role could exploit chained authorization flaws in n8n's credential pipeline to steal plaintext secrets from generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) belonging to other users on the same instance.\n\nThe attack abuses a name-based credential resolution path that does not enforce ownership or project scope, combined with a bypass in the credentials permission checker that causes generic HTTP credential types to be skipped during pre-execution validation. Together, these flaws allow a member-role user to resolve another user's credential ID and execute a workflow that decrypts and uses that credential without authorization.\n\nNative integration credential types (e.g. `slackApi`, `openAiApi`, `postgres`) are not affected by this issue.\n\nThis vulnerability affects Community Edition only. Enterprise Edition has additional permission gates on workflow creation and execution that independently block this attack chain.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Restrict instance access to fully trusted users only.\n- Audit credentials stored on the instance and rotate any generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) that may have been exposed.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
15+
},
16+
{
17+
"type": "CVSS_V4",
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "npm",
25+
"name": "n8n"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "0"
33+
},
34+
{
35+
"fixed": "1.123.27"
36+
}
37+
]
38+
}
39+
]
40+
},
41+
{
42+
"package": {
43+
"ecosystem": "npm",
44+
"name": "n8n"
45+
},
46+
"ranges": [
47+
{
48+
"type": "ECOSYSTEM",
49+
"events": [
50+
{
51+
"introduced": "2.14.0"
52+
},
53+
{
54+
"fixed": "2.14.1"
55+
}
56+
]
57+
}
58+
],
59+
"versions": [
60+
"2.14.0"
61+
]
62+
},
63+
{
64+
"package": {
65+
"ecosystem": "npm",
66+
"name": "n8n"
67+
},
68+
"ranges": [
69+
{
70+
"type": "ECOSYSTEM",
71+
"events": [
72+
{
73+
"introduced": "2.0.0-rc.0"
74+
},
75+
{
76+
"fixed": "2.13.3"
77+
}
78+
]
79+
}
80+
]
81+
}
82+
],
83+
"references": [
84+
{
85+
"type": "WEB",
86+
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35"
87+
},
88+
{
89+
"type": "ADVISORY",
90+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33663"
91+
},
92+
{
93+
"type": "PACKAGE",
94+
"url": "https://github.com/n8n-io/n8n"
95+
}
96+
],
97+
"database_specific": {
98+
"cwe_ids": [
99+
"CWE-639"
100+
],
101+
"severity": "HIGH",
102+
"github_reviewed": true,
103+
"github_reviewed_at": "2026-03-25T21:08:33Z",
104+
"nvd_published_at": "2026-03-25T18:16:32Z"
105+
}
106+
}

0 commit comments

Comments
 (0)