Technical Advisory: n8n - Multiple Vulnerabilities - March 2026

Disclosed: March 25, 2026

‍Severity: Critical (CVSS 9.4) / High (CVSS 7.1 – 8.8) – Remote Code Execution, Credential Theft, Privilege Escalation‍

Package/Component: n8n (npm)‍

CVEs: CVE-2026-33660 • CVE-2026-33696 • CVE-2026-33663 • CVE-2026-33713 • CVE-2026-33665 • CVE-2026-27496 • CVE-2026-33722

Executive Summary

What Happened: On March 25, 2026, n8n published emergency patches addressing seven vulnerabilities rated Critical or High across its self-hosted workflow automation platform. Two of those vulnerabilities – CVE-2026-33660 and CVE-2026-33696 – are Critical-rated remote code execution flaws reachable by any authenticated user with a default member-role account. The remaining five High-severity findings cover credential theft, SQL injection, account takeover via LDAP, in-process memory disclosure, and an external secrets authorization bypass.

Why It Matters:

• AI agent orchestration risk: n8n is widely deployed as the tool-calling and workflow layer in AI agent pipelines. A compromised instance is a pivot point into every connected service, LLM provider, and credential store.
• Low privilege bar: Both Critical RCEs require only an authenticated member-role account – the default role assigned to any registered user on a self-hosted instance.
• Broad deployment footprint: With 181,000 GitHub stars, 56,000 forks, and over 100 million Docker Hub pulls, the exposed surface is large. A prior n8n expression injection (CVE-2025-68613) is already in the CISA KEV, demonstrating that n8n vulnerabilities do get actively exploited.
• No public PoC yet: As of March 27, 2026, no public proof-of-concept code exists for any of these seven CVEs, and none appear in the CISA KEV. This is the window to patch.

High-Level Risks:

• Arbitrary code execution on the n8n host from any authenticated user account (CVE-2026-33660, CVE-2026-33696)
• Theft of stored HTTP credentials belonging to other users on the same instance (CVE-2026-33663)
• Full admin account takeover on LDAP-enabled instances (CVE-2026-33665)
• SQL injection against the n8n backend database (CVE-2026-33713)
• In-process memory disclosure leaking prior request secrets (CVE-2026-27496)
• Plaintext retrieval of vault secrets by any authenticated user (CVE-2026-33722)

Immediate Actions:

1. Patch now: Upgrade to n8n 1.123.27 (1.x LTS) or 2.13.3 (2.x stable). Beta deployments at 2.14.0 must move to 2.14.1.
2. Workaround for Critical RCEs: Set NODES_EXCLUDE=n8n-nodes-base.merge,n8n-nodes-base.xml to block the two exploit paths until patching is complete.
3. Restrict access: Limit n8n registration to trusted users immediately. The Critical RCEs require only a valid account.
4. Audit workflows: Check existing workflows for Merge nodes in SQL mode and Data Table nodes with expression-based orderByColumn values.
5. Rotate credentials: If the instance was accessible to untrusted users while running a vulnerable version, rotate all stored API keys, database passwords, and vault secrets.

Overview

n8n released a coordinated patch batch on March 25, 2026 covering seven vulnerabilities discovered in its npm package. The disclosure came via the Cloudron community forum, where n8n’s security team posted the full list of CVEs alongside upgrade instructions – an unusual first-disclosure channel that meant major security media had not yet covered the batch as of March 27. All seven advisories have since been published to GitHub’s advisory database with full CVSS scores and version ranges.

The two Critical findings share a common pattern: n8n nodes expose processing capabilities that were not designed with adversarial inputs in mind. The Merge node’s AlaSQL SQL mode (CVE-2026-33660) hands user-supplied SQL directly to a library that can read local files. The GSuiteAdmin and XML nodes (CVE-2026-33696) accept parameter objects without checking for prototype-polluting key names. In both cases, the execution context is the n8n server process itself, so successful exploitation means arbitrary code running with n8n’s OS-level privileges.

n8n holds credentials for every service it connects to: API keys, database passwords, HTTP authentication tokens, and increasingly, connections to LLM providers. When deployed as an AI agent orchestration layer, a compromised n8n instance is not just one vulnerability – it is a breach of the entire pipeline’s credential store. This makes the privilege bar for exploitation (a default member-role account) particularly concerning in multi-tenant or loosely administered deployments.

Risk Analysis

1. AI agent attack surface: When an LLM agent interacts with n8n through its REST API to create or execute workflows – a common pattern in automated AI pipelines – any of the four node-level vulnerabilities (Merge, GSuiteAdmin/XML, Data Table) can be triggered through a single API call. This is the vector that conventional security tooling misses: the exploitation payload travels inside a legitimate, authenticated API request with no observable network anomaly.
2. Credential aggregation: n8n stores credentials for all connected services in an encrypted SQLite or PostgreSQL database. CVE-2026-33663 allows credential theft without touching the database directly – by exploiting the name-based credential resolution in Community Edition, an attacker retrieves decrypted httpBasicAuth, httpHeaderAuth, and httpQueryAuth credentials by embedding them in a workflow execution that they control. The result is plaintext credentials in the execution output of a workflow the attacker ran.
3. Privilege escalation on LDAP deployments: CVE-2026-33665 describes a persistent account takeover: an LDAP user who can modify their own email attribute can set it to match a local admin account’s email, causing n8n to permanently link the LDAP account to the admin. The linkage survives a subsequent email revert. This converts an LDAP user into a local admin with no further steps.
4. Memory and secrets exposure: CVE-2026-27496 (Task Runner memory disclosure) and CVE-2026-33722 (external secrets bypass) are lower in CVSS score but represent residual data exposure that matters in multi-tenant deployments. Task Runner buffers can contain secrets from a prior execution. The external secrets bypass allows any authenticated user to retrieve vault secrets by guessing a secret name, bypassing the externalSecret:list permission check.

CVE Details

All CVEs were published to the National Vulnerability Database on March 25, 2026 with full CVSS scores. GitHub Security Advisories serve as the authoritative technical references.

CVE-2026-33660

• Status: Published (March 25, 2026)
• NVD Entry: CVE-2026-33660
• GHSA: GHSA-58qr-rcgv-642v
• CVSS 4.0 Score: 9.4 Critical
• CWE: CWE-94 – Improper Control of Generation of Code
• Affected Versions: n8n < 1.123.27 (1.x); n8n >= 2.0.0-rc.0, < 2.13.3 (2.x); n8n = 2.14.0 (2.x beta)
• Fixed Version: 1.123.27 / 2.13.3 / 2.14.1
• Description: The Merge node’s “Combine by SQL” mode passes user-supplied SQL to the AlaSQL library without sandboxing. AlaSQL supports file I/O primitives including LOAD DATA INFILE, SELECT * FROM ? FILENAME, and REQUIRE. An authenticated user with workflow creation or modification permissions can embed these SQL statements in a Merge node’s query parameter, causing n8n to read arbitrary local files or execute OS commands on the host. Because n8n’s credential encryption key and SQLite database both reside on the same filesystem, this is a path to full credential exfiltration.
• Assessment: Critical – Arbitrary file read and code execution reachable by any registered user on the instance.

CVE-2026-33696

• Status: Published (March 25, 2026)
• NVD Entry: CVE-2026-33696
• GHSA: GHSA-mxrg-77hm-89hv
• CVSS 4.0 Score: 9.4 Critical
• CWE: CWE-1321 – Improperly Controlled Modification of Object Prototype Attributes
• Affected Versions: n8n < 1.123.27 (1.x); n8n >= 2.0.0-rc.0, < 2.13.3 (2.x); n8n = 2.14.0 (2.x beta)
• Fixed Version: 1.123.27 / 2.13.3 / 2.14.1
• Description: The GSuiteAdmin and XML nodes accept parameter objects directly without validating key names. Supplying a parameter object where a key is __proto__, constructor, or prototype pollutes Object.prototype in the n8n server process. JavaScript prototype pollution in a server context can overwrite built-in methods, inject properties into every object in the process, and in the right execution environment lead to full remote code execution. The XML node’s options parameter is the specific attack surface confirmed in the advisory.
• Assessment: Critical – Prototype pollution leading to RCE in the n8n server process.

CVE-2026-33663

• Status: Published (March 25, 2026)
• NVD Entry: CVE-2026-33663
• GHSA: GHSA-m63j-689w-3j35
• CVSS 4.0 Score: 8.5 High
• CWE: CWE-639 – Authorization Bypass Through User-Controlled Key
• Affected Versions: n8n < 1.123.27 (1.x); n8n >= 2.0.0-rc.0, < 2.13.3 (2.x); n8n = 2.14.0 (2.x beta)
• Fixed Version: 1.123.27 / 2.13.3 / 2.14.1
• Description: Community Edition’s credential permission checker resolves credentials by name rather than by ID in certain code paths. An attacker with a member-role account can create a workflow that references another user’s credential by name and then execute that workflow, receiving the decrypted credential values in the execution output. Affected credential types are httpBasicAuth, httpHeaderAuth, and httpQueryAuth. The advisory notes this chains two separate authorization bypasses.
• Assessment: High – Credential theft of other users’ HTTP authentication credentials via workflow execution.

CVE-2026-33713

• Status: Published (March 25, 2026)
• NVD Entry: CVE-2026-33713
• GHSA: GHSA-98c2-4cr3-4jc3
• CVSS 4.0 Score: 8.7 High
• CWE: CWE-89 – Improper Neutralization of Special Elements Used in an SQL Command
• Affected Versions: n8n < 1.123.26 (1.x); n8n >= 2.0.0-rc.0, < 2.13.3 (2.x); n8n = 2.14.0 (2.x beta)
• Fixed Version: 1.123.26+ for the 1.x branch; 2.13.3 / 2.14.1
• Description: The Data Table node’s orderByColumn parameter is vulnerable to SQL injection when set to an expression value (i.e., the value starts with =). On PostgreSQL-backed deployments, multi-statement execution is possible via SQL separators, allowing data modification and deletion in addition to data exfiltration. SQLite-backed instances see more limited impact but are still vulnerable to single-statement manipulation.
• Assessment: High – SQL injection in a node parameter; data modification possible on PostgreSQL.

CVE-2026-33665

• Status: Published (March 25, 2026)
• NVD Entry: CVE-2026-33665
• GHSA: GHSA-c545-x2rh-82fc
• CVSS 4.0 Score: 8.8 High
• CWE: CWE-287 – Improper Authentication
• Affected Versions: n8n < 1.121.0 (1.x); n8n >= 2.0.0-rc.0, < 2.4.0 (2.x)
• Fixed Version: 1.121.0 (1.x); 2.4.0 (2.x)
• Description: When LDAP authentication is enabled, n8n links LDAP accounts to local accounts by matching email addresses. An LDAP user who controls their LDAP email attribute can set it to match a local account’s email – including an admin account – and trigger a permanent account linkage. The linkage persists even after the email attribute is subsequently changed back. This gives the LDAP user full control of the targeted local account.
• Assessment: High – Permanent privilege escalation to admin for any LDAP user who can modify their LDAP email attribute.

CVE-2026-27496

• Status: Published (March 25, 2026)
• NVD Entry: CVE-2026-27496
• GHSA: GHSA-xvh5-5qg4-x9qp
• CVSS 4.0 Score: 7.1 High
• CWE: CWE-908 – Use of Uninitialized Resource
• Affected Versions: n8n < 1.123.22 (1.x); n8n >= 2.0.0-rc.0, < 2.9.3 (2.x); n8n >= 2.10.0, < 2.10.1 (2.x additional range)
• Fixed Version: 1.123.22 (1.x); 2.9.3 and 2.10.1 (2.x)
• Description: When the Task Runner feature is enabled (N8N_RUNNERS_ENABLED=true), the JavaScript code execution node allocates process buffers without initializing them. User-supplied JavaScript code that calls Buffer.allocUnsafe() or equivalent can read these uninitialized buffers, which may contain memory residue from previous executions including secrets, tokens, or credential data from earlier Task Runner invocations.
• Assessment: High – In-process memory disclosure when Task Runner is enabled; conditional on N8N_RUNNERS_ENABLED=true.

CVE-2026-33722

• Status: Published (March 25, 2026)
• NVD Entry: CVE-2026-33722
• GHSA: GHSA-fxcw-h3qj-8m8p
• CVSS 4.0 Score: 7.3 High
• CWE: CWE-863 – Incorrect Authorization
• Affected Versions: n8n < 1.123.23 (1.x); n8n >= 2.0.0-rc.0, < 2.6.4 (2.x)
• Fixed Version: 1.123.23 (1.x); 2.6.4 (2.x)
• Description: When an external secrets vault is configured on the n8n instance, the credential save endpoint fails to enforce the externalSecret:list permission before allowing a credential to reference a vault secret by name. Any authenticated user can submit a credential save request referencing an external secret name they have guessed, and the response returns the secret’s plaintext value. No prior knowledge of the vault’s contents is needed beyond the ability to guess secret names.
• Assessment: High – External vault secret retrieval by any authenticated user; conditional on external secrets vault being configured.

Summary of Vulnerabilities:

All seven CVEs were published the same day and stem from different root causes, but share a common threat model: an authenticated user with a default member-role account can cause significant damage. The two Critical RCEs (CVE-2026-33660, CVE-2026-33696) are node parameter processing failures – the AlaSQL SQL mode and the XML/GSuiteAdmin parameter parser both accept attacker-controlled data in contexts where arbitrary execution is possible. The five High-severity findings each represent a distinct boundary violation: credential scope (CVE-2026-33663), SQL parameterization (CVE-2026-33713), authentication logic (CVE-2026-33665), memory lifecycle (CVE-2026-27496), and permission enforcement (CVE-2026-33722).

The patch batch covers different version ranges per CVE – some flaws were introduced more recently than others. Instances running the full 2.x stable branch should upgrade to 2.13.3 to address all seven. The 1.x LTS branch is fully remediated at 1.123.27. The 2.x beta release at 2.14.0 is partially affected and is patched at 2.14.1.

Affected Versions

Summary table

Detailed version information

Fixed in 1.123.27 and 2.13.3 (all seven CVEs):

• CVE-2026-33660, CVE-2026-33696, CVE-2026-33663, CVE-2026-33713 – patched in the March 25 release
• CVE-2026-33665 – patched in 1.121.0 (1.x) and 2.4.0 (2.x); current releases carry the fix
• CVE-2026-27496 – patched in 1.123.22 (1.x), 2.9.3 and 2.10.1 (2.x); current releases carry the fix
• CVE-2026-33722 – patched in 1.123.23 (1.x) and 2.6.4 (2.x); current releases carry the fix

Beta branch (2.14.0 only):

• CVE-2026-33660, CVE-2026-33696, CVE-2026-33663, CVE-2026-33713 are present in 2.14.0; patched in 2.14.1
• CVE-2026-33665, CVE-2026-27496, CVE-2026-33722 were already patched in earlier 2.x releases

Recommendations

1. For all 1.x deployments: Upgrade to 1.123.27 or later. This is the minimum version that carries all seven fixes on the 1.x LTS branch.
2. For 2.x stable deployments: Upgrade to 2.13.3 or later.
3. For 2.14.0 beta deployments: Upgrade to 2.14.1 or later.
4. If immediate patching is not possible: Set NODES_EXCLUDE to exclude n8n-nodes-base.merge, n8n-nodes-base.xml, and n8n-nodes-base.dataTable as a temporary control for the three Critical/High node-level vulnerabilities.

Severity Assessment

Range: Critical / High (CVSS 4.0: 7.1 – 9.4)

CVSS 4.0 Vector Analysis (CVE-2026-33660, highest severity):

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

• Attack Vector (AV:N): Network – exploitable from any network location with access to the n8n instance.
• Attack Complexity (AC:L): Low – no special conditions, race conditions, or additional configuration steps required beyond having an account.
• Attack Requirements (AT:N): None – no specialized configuration of the target environment beyond a default n8n deployment.
• Privileges Required (PR:L): Low – requires a member-role account, the default for any registered user.
• User Interaction (UI:N): None – the attacker executes the full exploit chain without any victim interaction.
• Vulnerable System Confidentiality (VC:H): High – the n8n encryption key and database are readable via the file-read primitive.
• Vulnerable System Integrity (VI:H): High – arbitrary code execution allows full modification of the n8n host filesystem and process state.
• Vulnerable System Availability (VA:H): High – an attacker can crash or render the n8n service unavailable.
• Subsequent System Confidentiality (SC:H): High – all credentials stored in n8n (for every connected service) are readable.
• Subsequent System Integrity (SI:H): High – stolen credentials enable modification of connected systems.
• Subsequent System Availability (SA:H): High – cascading effects on connected services are possible.

Severity considerations

Attack vector for CVE-2026-33660:

1. Attacker authenticates to n8n with any valid member-role account
2. Creates or modifies a workflow containing a Merge node configured in “Combine by SQL” mode
3. Sets the SQL query parameter to a file-read primitive: SELECT * FROM ? FILENAME '/home/node/.n8n/config'
4. Executes the workflow and retrieves the encryption key and all stored credentials from the execution output

Impact:

• Confidentiality: Full credential store disclosure, including API keys for all connected services and the n8n encryption key
• Integrity: Arbitrary OS-level writes and process manipulation via code execution
• Availability: Ability to crash the n8n process and disrupt workflow automation for the entire organization

Agentic AI context:

• Trusted API surface: When an LLM agent creates workflows via the n8n REST API, the exploit payload travels inside a normal authenticated request. Network monitoring cannot distinguish this from legitimate workflow creation.
• Credential aggregation: n8n’s role as an integration hub means the credential store is a single-point target for the entire AI pipeline’s authentication material.
• No prior knowledge required: Any registered user on a shared n8n instance can exploit the Critical RCEs without knowing another user’s credentials or having prior admin access.
• Pipeline pivot: A compromised n8n instance gives an attacker authenticated access to every downstream service – databases, email providers, cloud APIs, LLM providers – that n8n connects to.

Assumptions:

• The n8n instance is accessible to the attacker over the network (TCP 5678 or behind a reverse proxy)
• At least one user account exists on the instance (or registration is open)
• The instance is not running with Merge nodes and XML nodes explicitly excluded via NODES_EXCLUDE

Immediate Mitigation Steps

1. Inventory and Visibility

Identify all n8n installations:

# Check npm global installation
npm list -g n8n

# Check local project installation
npm list n8n

# Check for n8n process
ps aux | grep n8n

# Check Docker containers
docker ps | grep n8n
docker images | grep n8n

# Check version of a running instance
npx n8n --version


Maintain an inventory of:

• Which teams and projects run n8n and which n8n version they run
• Which external services and credentials each instance holds
• Whether LDAP authentication is enabled per instance
• Whether N8N_RUNNERS_ENABLED=true is set and in which mode

2. Access controls and least privilege

• Restrict registration: Set N8N_USER_MANAGEMENT_DISABLED=false and configure N8N_EMAIL_MODE to control who can register. The two Critical RCEs require only a member-role account.
• Network isolation: Place n8n behind a reverse proxy with IP allowlisting. Do not expose TCP 5678 directly to the internet.
• Rotate credentials: For any instance accessible to untrusted users while running a vulnerable version, rotate all stored API keys, database passwords, and vault secrets immediately.
• Disable LDAP if not required: If LDAP authentication is not actively used, disable it to eliminate the CVE-2026-33665 attack surface.

3. Monitoring and detection

Watch for these indicators in n8n workflow definitions and execution logs:

• Merge nodes with "combineMode": "sql" or "mode": "combineBySql" in workflow JSON
• SQL queries in Merge node parameters containing LOAD DATA INFILE, SELECT * FROM ? FILENAME, or REQUIRE
• GSuiteAdmin or XML node parameters containing keys named __proto__, constructor, or prototype
• Data Table nodes with orderByColumn parameters that begin with = and contain SQL special characters
• Unexpected workflows created by non-admin users referencing credentials they do not own

4. Environment variable controls

These environment variables provide partial mitigation for the node-level vulnerabilities:

• NODES_EXCLUDE=n8n-nodes-base.merge – disables the Merge node entirely (CVE-2026-33660 mitigation)
• NODES_EXCLUDE=n8n-nodes-base.xml – disables the XML node (CVE-2026-33696 partial mitigation; GSuiteAdmin node also affected)
• NODES_EXCLUDE=n8n-nodes-base.dataTable – disables the Data Table node (CVE-2026-33713 mitigation)
• N8N_RUNNERS_MODE=external – moves Task Runner out-of-process (CVE-2026-27496 mitigation)

Multiple node types can be excluded as a comma-separated list.

5. Network isolation

• Do not expose the n8n API (default TCP 5678) directly to untrusted networks
• Use a reverse proxy that enforces HTTPS and requires authentication for the /rest/ API prefix
• Apply network-layer controls to limit which systems can reach the n8n webhook endpoints (/webhook/, /webhook-test/)

6. Stay informed

• Monitor n8n GitHub Security Advisories for new disclosures
• Subscribe to the NVD feed for n8n to receive future CVE notifications
• Watch the Cloudron forum n8n topic where this batch was first disclosed
• Check the CISA KEV catalog for CVE-2025-68613 activity, which shows this vendor’s CVEs do reach exploitation stage

Long-Term Recommendations

n8n deployment security

Instance hardening:

• Run n8n with a dedicated OS user with no shell access and restricted file system permissions
• Mount the n8n data directory (/home/node/.n8n/) on a separate volume with access controls
• Use PostgreSQL instead of SQLite for the backend database in production; apply database-level access controls
• Enable audit logging for all credential creation, modification, and usage events

Least-privilege credential management:

• Store only the minimum required credentials in n8n; prefer per-integration service accounts over shared credentials
• Use the external secrets vault integration with n8n’s externalSecret:list permission to restrict which users can see vault contents (patch CVE-2026-33722 first)
• Implement credential rotation schedules and revoke credentials from n8n when integrations are decommissioned

Architecture:

• Run n8n in a container with a read-only root filesystem where possible; mount only the data directory as writable
• Segment the n8n network namespace: it should reach external services it connects to, not internal infrastructure beyond what workflows require
• Apply egress filtering to prevent n8n from initiating unexpected outbound connections

AI tool governance

Workflow review process:

• Require security review for any workflow that uses the Merge node in SQL mode, the XML or GSuiteAdmin nodes with parameter expressions, or the Data Table node with expression-based ordering
• Implement a workflow approval process for new workflows created by non-admin users in production instances
• Log all workflow creation and modification events with user attribution

Agent access controls:

• When granting LLM agents access to the n8n API, scope the agent’s API token to the minimum required operations (e.g., read-only if workflow execution monitoring is all that is needed)
• Monitor agent-to-n8n API interactions for unexpected workflow creation or modification patterns

Vulnerability management

Proactive patch management:

• Subscribe to the n8n npm package security feed and set internal SLAs: Critical vulnerabilities patched within 48 hours, High within one week
• Test n8n upgrades in a staging environment before production deployment; n8n upgrades occasionally require database migrations
• Include n8n in existing software composition analysis pipelines

Vendor engagement:

• Report unexpected behavior in n8n nodes to the n8n security team at security@n8n.io
• Follow n8n’s public roadmap for deprecation of legacy node types with known vulnerability histories

Framework Context

These vulnerabilities map to multiple security frameworks:

OWASP Top 10 for LLM Applications (2025)

• LLM03:2025 Supply Chain: n8n as an AI orchestration dependency introduces multiple vulnerability entry points for LLM-connected pipelines.
• LLM05:2025 Improper Output Handling: Execution output from compromised workflows returns plaintext credentials and file contents to the agent.

OWASP Agentic Security Initiative (2026)

• ASI05:2026 Unexpected Code Execution: The two Critical RCEs (CVE-2026-33660, CVE-2026-33696) are direct instances of this category.
• ASI04:2026 Agentic Supply Chain Vulnerabilities: n8n is a widely used tool-orchestration dependency; vulnerabilities in it affect every pipeline that uses it.
• ASI03:2026 Identity and Privilege Abuse: CVE-2026-33663 (credential theft) and CVE-2026-33665 (LDAP account takeover) both fall here.

CWE

• CWE-94: Improper Control of Generation of Code (CVE-2026-33660, AlaSQL RCE)
• CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (CVE-2026-33696, prototype pollution)
• CWE-639: Authorization Bypass Through User-Controlled Key (CVE-2026-33663, credential theft)
• CWE-89: Improper Neutralization of Special Elements in an SQL Command (CVE-2026-33713)
• CWE-287: Improper Authentication (CVE-2026-33665, LDAP account linking)
• CWE-908: Use of Uninitialized Resource (CVE-2026-27496, Task Runner memory disclosure)
• CWE-863: Incorrect Authorization (CVE-2026-33722, external secrets bypass)

Additional Considerations

Business continuity planning

• Assess upgrade feasibility: n8n 1.x to 1.123.27 and 2.x to 2.13.3 are point releases within their branches. Unless your organization has pinned a specific version for tested workflow compatibility, these upgrades should not require workflow migration.
• Apply NODES_EXCLUDE as a bridge: If a workflow in production relies on the Merge node in SQL mode, disable the vulnerable configuration while you evaluate whether that workflow can be redesigned without AlaSQL file I/O.
• Test credential references after upgrade: CVE-2026-33663’s fix changes how credential resolution works in Community Edition; verify that existing workflows still resolve credentials correctly after upgrading.

Legal and compliance implications

• If the instance was accessible to untrusted users while running a vulnerable version and stored credentials have been exposed, evaluate whether notification obligations apply under GDPR, CCPA, or equivalent data protection regulations.
• Encrypted credential storage in n8n does not constitute a security control that prevents disclosure if the encryption key is accessible via the CVE-2026-33660 file-read path.

Incident response preparedness

• Review all workflows created or modified by non-admin users in the 30 days prior to patching for evidence of Merge node SQL mode usage or Data Table expression injection
• Check n8n execution logs for workflow runs that produced unexpected output volume or referenced system file paths
• Audit LDAP account linkage events (if LDAP is enabled) for accounts whose email attributes have been changed recently

Advisory Status: This is a preliminary advisory based on GitHub Security Advisory publications and NVD entries from March 25, 2026. It will be updated as:

• Researchers publish analyses or proof-of-concept code for any of the seven CVEs
• Any of these CVEs are added to the CISA Known Exploited Vulnerabilities catalog
• n8n releases additional mitigation guidance

Last Updated: March 27, 2026

Sources