Plattform
nodejs
Komponente
n8n
Behoben in
1.123.28
2.0.1
2.14.1
2.14.1
CVE-2026-33660 is a critical Remote Code Execution (RCE) vulnerability affecting n8n versions up to 2.14.0. An authenticated user with workflow creation/modification permissions can leverage the "Combine by SQL" feature within the Merge node to read local files and potentially execute arbitrary code on the n8n host. This vulnerability stems from insufficient restrictions within the AlaSQL sandbox, allowing attackers to bypass security measures. Patches are available in n8n versions 2.14.1, 2.13.3, and 1.123.27.
This vulnerability allows an authenticated user to execute arbitrary code on the n8n server. The attacker can exploit the "Combine by SQL" feature within the Merge node to craft malicious SQL queries that bypass the AlaSQL sandbox's intended security measures. Successful exploitation enables the attacker to read local files, potentially exposing sensitive data such as configuration files, API keys, and database credentials. Beyond data exfiltration, the attacker could leverage this access to install malware, create backdoors, or completely compromise the n8n instance and potentially pivot to other systems on the network. The impact is particularly severe given n8n's role in automating workflows, which often involve access to sensitive data and systems.
This vulnerability was publicly disclosed on 2026-03-25. The CVSS score of 9.9 (CRITICAL) indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been publicly released as of this writing, the ease of exploitation and the critical nature of the vulnerability suggest that it is likely to be targeted by attackers. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns. This vulnerability does not appear to be listed on the CISA KEV catalog at this time.
Organizations heavily reliant on n8n for workflow automation, particularly those with complex workflows involving data merging and SQL operations, are at significant risk. Shared hosting environments where multiple users have access to n8n instances are also vulnerable, as a compromised user could potentially exploit this vulnerability to impact other users on the same server.
• nodejs / server:
ps aux | grep n8n• nodejs / server:
journalctl -u n8n -f | grep "AlaSQL sandbox"• generic web:
curl -I http://your-n8n-instance/ | grep Serverdisclosure
Exploit-Status
EPSS
0.07% (22% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade n8n to version 2.14.1, 2.13.3, or 1.123.27 or later. If immediate upgrading is not feasible, consider restricting the SQL access permissions for users who have workflow creation or modification privileges. Implement strict input validation and sanitization on any user-provided SQL queries. Review and audit existing workflows to identify and disable any workflows that utilize the "Combine by SQL" feature. Consider using a Web Application Firewall (WAF) to filter out malicious SQL queries. After upgrading, confirm the vulnerability is resolved by attempting to execute a known malicious SQL query within the Merge node and verifying that it is properly blocked.
Aktualisieren Sie n8n auf Version 2.14.1, 2.13.3 oder 1.123.26 oder eine spätere Version. Wenn ein Update nicht sofort möglich ist, beschränken Sie die Berechtigungen zum Erstellen und Bearbeiten von Workflows nur auf vertrauenswürdige Benutzer oder deaktivieren Sie den Merge Node, indem Sie `n8n-nodes-base.merge` zur Umgebungsvariablen `NODES_EXCLUDE` hinzufügen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33660 is a critical Remote Code Execution vulnerability in n8n workflow automation software, allowing authenticated users to execute arbitrary code.
You are affected if you are using n8n versions 2.14.0 or earlier. Upgrade to 2.14.1, 2.13.3, or 1.123.27 to resolve the issue.
Upgrade to n8n version 2.14.1, 2.13.3, or 1.123.27. As a temporary workaround, restrict user permissions and carefully review SQL queries.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official n8n security advisory on their website or GitHub repository for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.