Platform
nodejs
Component
n8n
Fixed in
1.123.28
2.0.1
2.14.1
2.14.1
CVE-2026-33660 is a critical Remote Code Execution (RCE) vulnerability affecting n8n versions up to 2.14.0. An authenticated user with workflow creation/modification permissions can leverage the "Combine by SQL" feature within the Merge node to read local files and potentially execute arbitrary code on the n8n host. This vulnerability stems from insufficient restrictions within the AlaSQL sandbox, allowing attackers to bypass security measures. Patches are available in n8n versions 2.14.1, 2.13.3, and 1.123.27.
The impact of CVE-2026-33660 is severe. An attacker who can successfully exploit this vulnerability can gain remote code execution on the n8n server. This allows them to read sensitive files, install malware, modify data, or even completely compromise the system. The ability to execute arbitrary code grants the attacker a high degree of control over the affected environment. The AlaSQL sandbox, intended to provide a secure environment for SQL operations, failed to adequately restrict certain SQL commands, enabling this bypass. This vulnerability shares similarities with other SQL injection vulnerabilities where insufficient sanitization allows for arbitrary code execution.
CVE-2026-33660 was published on 2026-03-25. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's severity and ease of exploitation. The EPSS score is likely to be high, indicating a significant probability of exploitation. Active campaigns are possible, particularly targeting organizations using n8n for workflow automation.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33660 is to upgrade to a patched version of n8n: 2.14.1, 2.13.3, or 1.123.27. If immediate upgrading is not feasible, consider implementing temporary workarounds. Restrict user permissions to limit access to workflow creation and modification. Carefully review and audit all SQL queries used within workflows, especially those utilizing the "Combine by SQL" feature. Consider using a Web Application Firewall (WAF) to filter potentially malicious SQL statements. After upgrading, confirm the vulnerability is resolved by attempting to execute a known exploit scenario within a test workflow and verifying that it fails to execute.
Update n8n to version 2.14.1, 2.13.3 or 1.123.26, or a later version. If updating is not immediately possible, limit workflow creation and editing permissions to trusted users only, or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33660 is a critical Remote Code Execution vulnerability in n8n workflow automation software, allowing authenticated users to execute arbitrary code.
You are affected if you are using n8n versions 2.14.0 or earlier. Upgrade to 2.14.1, 2.13.3, or 1.123.27 to resolve the issue.
Upgrade to n8n version 2.14.1, 2.13.3, or 1.123.27. As a temporary workaround, restrict user permissions and carefully review SQL queries.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official n8n security advisory on their website or GitHub repository for detailed information and updates.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.