Two critical malicious code vulnerabilities threaten automation platform n8n
Several software vulnerabilities threaten the AI-powered automation tool n8n. Security patches are available for download.
(Image: AFANASEV IVAN/Shutterstock.com)
Companies that have automated business processes with n8n, among other things, should update the software promptly. If this is not done, attackers can attack systems in several ways.
Remote Code Execution
As stated in the security section of the tool's GitHub website, the developers have closed a total of six security vulnerabilities. Two of them are considered "critical" (CVE-2026-33696, CVE-2026-33660). In the first case, after a prototype pollution attack, malicious code can get onto systems and compromise them. In the second case, this is also possible. This time, because AlaSQL sandbox does not sufficiently restrict certain SQL statements.
Another vulnerability (CVE-2026-33663) is classified as "high" threat level. Here, an authenticated attacker can intercept unencrypted credentials. There are no reports yet that attackers are already exploiting the vulnerabilities. However, this can change quickly. Accordingly, administrators must ensure that the patched versions 1.123.27, 2.13.3, or 2.14.1 are installed.
Videos by heise
In the recent past, the developers have released security updates for n8n twice a month.
(des)
