Overview · n8n-io/n8n · GitHub

Security

SECURITY.md

Reporting a Vulnerability

If you discover a (suspected) security vulnerability, please report it through our Vulnerability Disclosure Program.

XML Node Prototype Pollution to RCE
GHSA-hqr4-h3xv-9m3r published Apr 22, 2026 by Jubke

Critical
RCE via SQL Mode of Merge Node
GHSA-58qr-rcgv-642v published Mar 25, 2026 by Jubke

Critical
Prototype Pollution in XML Webhook Body Parser Leads to RCE
GHSA-q5f4-99jv-pgg5 published Apr 22, 2026 by Jubke

Critical
XSS via MCP OAuth client
GHSA-537j-gqpc-p7fq published Apr 22, 2026 by Jubke

High
Hijacking of Unauthenticated Chat Execution
GHSA-f77h-j2v7-g6mw published Apr 22, 2026 by Jubke

Moderate
Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay
GHSA-r4v6-9fqc-w5jr published Apr 22, 2026 by Jubke

High
SQL Injection in SeaTable Node
GHSA-mp4j-h6gh-f6mp published Apr 22, 2026 by Jubke

Moderate
Unauthenticated Denial of Service via MCP Client Registration
GHSA-49m9-pgww-9vq6 published Apr 22, 2026 by Jubke

High
SQL Injection in Snowflake and MySQL Nodes
GHSA-hp3c-vfpm-q4f7 published Apr 22, 2026 by Jubke

Moderate
Public API Variables IDOR Allows Cross-Project Secret Disclosure
GHSA-756q-gq9h-fp22 published Apr 22, 2026 by Jubke

Moderate

Learn more about advisories related to n8n-io/n8n in the GitHub Advisory Database