Other information and services of the government: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Critical vulnerabilities in n8n, Patch Immediately!

Image
Decorative image
Published : 27/03/2026
  • Last update: 26/03/2026
  • Affected software: n8n
  • Type:
    → CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
    → CWE-94: Improper Control of Generation of Code ('Code Injection')
    → CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • CVE/CVSS
    → CVE-2026-33696: CVSS 9.4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
    → CVE-2026-33660: CVSS 9.4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
    → CVE-2026-33713: CVSS 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

Sources

CVE-2026-33696 advisory - https://github.com/n8n-io/n8n/security/advisories/GHSA-mxrg-77hm-89hv
CVE-2026-33660 advisory - https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v
CVE-2026-33713 advisory - https://github.com/n8n-io/n8n/security/advisories/GHSA-98c2-4cr3-4jc3

Risks

n8n is an extendable, node-based workflow automation tool used to connect SaaS applications and automate complex business logic. The identified vulnerabilities allow authenticated users to achieve full remote code execution on the host system, read sensitive local files, and perform unauthorized database operations. These flaws represent a critical threat to the confidentiality and integrity of the system.

Description

CVE-2026-33696, CVSS 9.4, CWE-1321 ('Prototype Pollution'):

A vulnerability in the XML and GSuiteAdmin nodes allows authenticated attackers to write values to Object.prototype. Rhis can be leveraged to achieve Remote Code Execution (RCE).

CVE-2026-33660, CVSS 9.4, CWE-94 ('Code Injection'):

The Merge node’s "Combine by SQL" mode, powered by AlaSQL, contains a sandbox escape. This allows authenticated attackers to execute arbitrary code or read files on the host machine.

CVE-2026-33713, CVSS 8.7, CWE-89 ('SQL Injection'):

The Data Table Get node lacks proper input sanitization. An authenticated attacker with permissions to create or edit workflows can inject malicious SQL commands into the execution flow. On SQLite deployments, the impact is primarily focused on unauthorized data extraction. On PostgreSQL deployments, the vulnerability can be leveraged for multi-statement execution, granting the attacker the ability modify and delete data.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-33696
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-33660
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-33713