If you discover a (suspected) security vulnerability, please report it through our Vulnerability Disclosure Program.
Security: n8n-io/n8n
Security
SECURITY.md
-
Arbitrary Command Execution via File Write and Git OperationsGHSA-x2mw-7j39-93xq published
Feb 25, 2026 by JubkeCritical -
OS Command Injection in Git NodeGHSA-9g95-qf3f-ggrw published
Feb 4, 2026 by csuermannCritical -
Missing Stripe-Signature Verification Allows Unauthenticated Forged WebhooksGHSA-jf52-3f2h-h9j5 published
Jan 7, 2026 by csuermannModerate -
IP Whitelist Bypass via Partial String MatchingGHSA-w96v-gf22-crwp published
Jan 13, 2026 by csuermannModerate -
Legacy Code node enables file read/write in self-hosted n8nGHSA-j4p8-h8mh-rh8q published
Dec 24, 2025 by csuermannHigh -
Arbitrary Command Execution in Pyodide based Python Code NodeGHSA-62r4-hw23-cc8v published
Dec 24, 2025 by csuermannCritical -
RCE via Arbitrary File WriteGHSA-v364-rw7m-3263 published
Jan 6, 2026 by csuermannCritical -
Improper File Access Controls Allow Arbitrary File Read by Authenticated UsersGHSA-gfvg-qv54-r4pc published
Feb 4, 2026 by csuermannCritical -
Improper CSP Enforcement in Webhook Responses May Allow Stored XSSGHSA-825q-w924-xhgx published
Feb 4, 2026 by csuermannHigh -
n8n Remote Code Execution via Expression InjectionGHSA-v98v-ff95-f3cp published
Dec 19, 2025 by csuermannCritical
Learn more about advisories related to n8n-io/n8n in the GitHub Advisory Database