If you discover a (suspected) security vulnerability, please report it through our Vulnerability Disclosure Program.
Security: n8n-io/n8n
Security
SECURITY.md
-
Python Task Runner Sandbox EscapeGHSA-44v6-jhgm-p3m4 published
Apr 22, 2026 by JubkeHigh -
Stored XSS in Form TriggerGHSA-q4fm-pjq6-m63g published
Mar 25, 2026 by JubkeModerate -
XSS in Chat Trigger Node via Custom CSSGHSA-3c7f-5hgj-h279 published
Mar 25, 2026 by JubkeModerate -
Open Redirect in MCP OAuth Consent FlowGHSA-f6x8-65q6-j9m9 published
Apr 22, 2026 by JubkeModerate -
SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodesGHSA-f3f2-mcxc-pwjx published
Feb 25, 2026 by JubkeModerate -
Remote Code Execution via Merge NodeGHSA-wxx7-mcgf-j869 published
Feb 25, 2026 by JubkeCritical -
Expression Sandbox Escape Leading to RCEGHSA-vpcf-gvg4-6qwr published
Feb 25, 2026 by JubkeCritical -
Stored XSS via Various NodesGHSA-2p9h-rqjw-gm92 published
Feb 25, 2026 by JubkeHigh -
SQL Injection in Data Table Node via orderByColumn ExpressionGHSA-98c2-4cr3-4jc3 published
Mar 25, 2026 by JubkeHigh -
Authentication Bypass in Chat Trigger NodeGHSA-jh8h-6c9q-7gmw published
Feb 25, 2026 by JubkeModerate
Learn more about advisories related to n8n-io/n8n in the GitHub Advisory Database