EXECUTIVE SUMMARY:
A pair of vulnerabilities in the open‑source workflow automation platform n8n that were disclosed and fixed. These flaws range from credential theft via broken authorization checks to various remote code execution (RCE) issues as well as an in‑process memory disclosure via unsafe buffer usage. Collectively, these vulnerabilities could allow authenticated attackers to execute arbitrary code, steal sensitive credentials, disclose memory containing secrets, or bypass intended access controls if users do not update to the patched versions.
CVE-2026-33722: It is an Authenticated users could bypass externalSecret list permission checks and retrieve plaintext secrets by referencing external secret names when saving credentials. The vulnerability has a CVSS score of 7.3.
CVE-2026-33720: When the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK true flag is used, the OAuth callback state ownership verification is skipped, allowing token storage under attacker‑controlled credentials. The vulnerability has a CVSS score of 6.3.
CVE-2026-33724: The Source Control SSH feature used StrictHostKeyChecking no, enabling man‑in‑the‑middle attacks during Git operations due to missing host key validation. The vulnerability has a CVSS score of 6.3.
CVE-2026-33665: An authenticated LDAP user who could control their own LDAP email attribute could set it to match another user email including an administrator's and upon login gain full access to that account, resulting in a permanent account takeover. LDAP authentication must be configured and active. The vulnerability has a CVSS score of 8.8.
CVE-2026-33663: A chained authorization flaw allowed global member users to resolve and misuse other users' generic HTTP credentials, stealing plaintext secrets due to lack of proper ownership verification. The vulnerability has a CVSS score of 8.5.
CVE-2026-33660: An authenticated user with permission to create or modify workflows could use the Merge node Combine by SQL mode to read local files on the n8n host and achieve remote code execution. The AlaSQL sandbox did not sufficiently restrict certain SQL statements, allowing an attacker to access sensitive files on the server or even compromise the instance. The vulnerability has a CVSS score of 9.4.
CVE-2026-27496: The Task Runner could allocate uninitialized buffers that leak residual in‑process data when runners are enabled , exposing sensitive information. The vulnerability has a CVSS score of 7.1.
RECOMMENDATION:
We recommend you to update n8n workflow automation platform below versions:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-fxcw-h3qj-8m8p
https://github.com/advisories/GHSA-vpgc-2f6g-7w7x
https://github.com/advisories/GHSA-43v7-fp2v-68f6
https://github.com/advisories/GHSA-c545-x2rh-82fc
https://github.com/advisories/GHSA-m63j-689w-3j35
https://github.com/advisories/GHSA-58qr-rcgv-642v
https://github.com/advisories/GHSA-xvh5-5qg4-x9qp