[CIVN-2026-0252] Multiple Vulnerabilities in n8n
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
Multiple Vulnerabilities in n8n
Indian – Computer Emergency Response Team (https://www.cert-in.org.in)
Severity Rating: CRITICAL
Software Affected
n8n versions prior to 1.123.32, 2.17.4, and 2.18.1
n8n versions prior to 1.123.43, 2.20.7, and 2.22.1
Overview
Multiple vulnerabilities have been reported in n8n which may allow an attacker to execute arbitrary code, gain unauthorized access, disclose sensitive information, perform privilege escalation, or compromise the targeted system.
Target Audience:
All end-user organizations responsible for deploying, securing, and maintaining n8n.
Risk Assessment:
High risk of remote code execution, unauthorized access, privilege escalation, and sensitive information disclosure.
Impact Assessment:
Potential for unauthorized access, full system takeover, and exposure of sensitive data.
Description
n8n is a workflow automation platform that allows you to connect different apps, APIs, and services to automate tasks using a visual, node-based workflow builder. It is a low-code, open-source tool commonly used to automate business processes and integrate software systems.
These vulnerabilities exist in n8n due to improper access control, insecure webhook handling, and insufficient input validations.
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, gain unauthorized access, disclose sensitive information, perform privilege escalation, or compromise the targeted system.
Solution
Apply appropriate updates as mentioned:
https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5
https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r
https://github.com/n8n-io/n8n/security/advisories/GHSA-wrwr-h859-xh2r
https://github.com/n8n-io/n8n/security/advisories/GHSA-c8xv-5998-g76h
https://github.com/n8n-io/n8n/security/advisories/GHSA-57g9-58c2-xjg3
Vendor Information
n8n
https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5
https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r
https://github.com/n8n-io/n8n/security/advisories/GHSA-wrwr-h859-xh2r
https://github.com/n8n-io/n8n/security/advisories/GHSA-c8xv-5998-g76h
https://github.com/n8n-io/n8n/security/advisories/GHSA-57g9-58c2-xjg3
References
n8n
https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5
https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r
https://github.com/n8n-io/n8n/security/advisories/GHSA-wrwr-h859-xh2r
https://github.com/n8n-io/n8n/security/advisories/GHSA-c8xv-5998-g76h
https://github.com/n8n-io/n8n/security/advisories/GHSA-57g9-58c2-xjg3
CVE Name
CVE-2026-42231
CVE-2026-42232
CVE-2026-44791
CVE-2026-44789
CVE-2026-44790
– —
Thanks and Regards,
CERT-In
Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: +91-11-22902657
Toll Free Number: 1800-11-4949
Toll Free Fax : 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoPHRcACgkQ3jCgcSdc
ys8QZRAAgSvTkit9HHdcHKld7mMSy6B0bz0g0VcT/hzw/f0eGggUEFslfGRXt17s
O+U8lUNA5dWtLwd4ogv0bb05rAjejhGwpvm2DlAUsZ7fHmLSisf8kUz6QqkkNDIi
kHdB2PH2NAvbtCw1MThFTdazoXFNhvWD0ftw2FN+AWy6dL2AK7VnxjjceM7InD0H
vpjb+xgr28tYbnGfBQnMkXvXXCJ/bOxGoNqIMOXj7pZZWSInaV6JZ/c4z0Umlo65
zjEzBosaD2Dyou2kF8etyKPso2LkLl8D9E0O+55gjX3d7TJ/1l53PaXWfyaTpEAu
GMB9poWIiHJQqE/ssbXyHBpZZrMJ8IaniOp9uzXrCcyyVSlwoZlUH/kcP4aSs/xv
b+4lT3j08re+aNDbQo1n3ymbiwIPLcHS6m3rnij6bskT+X4JRdHb5JlKFA8bDXk+
Fh26j5IA/ZFSZrds8P3u3n30PqAMgVWzXbBxpQmNi4Az3mdRd2Iv+Y1Z2mVnWYyn
Bp+0JwO3hJqcuhwV2a/58Qzh5USLw+s3TF3E0aYVLXgoKBaVpH7O0GapYLCh/BT5
LNFvlGHSN/neqXS0Ds1q42t+AJAWtcF6ukFSXWmL6HmyiZL0LV7q7Boxqx5gJT4l
sx9Rr0Y8LaZwVIRb+S8DJx0zpYOmkMw5l56IJGQyM8nIncyR7aQ=
=J7YA
—–END PGP SIGNATURE—–
![[CIAD-2026-0026] “Mini Shai-Hulud” Supply Chain Attack Campaign Targeting Open-Source](https://teamwin.in/wp-content/uploads/2025/06/certin-new-e1751351599950-500x383.png)
