If you discover a (suspected) security vulnerability, please report it through our Vulnerability Disclosure Program.
Security: n8n-io/n8n
Security
SECURITY.md
-
Missing Stripe-Signature Verification Allows Unauthenticated Forged WebhooksGHSA-jf52-3f2h-h9j5 published
Jan 7, 2026 by csuermannModerate -
Legacy Code node enables file read/write in self-hosted n8nGHSA-j4p8-h8mh-rh8q published
Dec 24, 2025 by csuermannHigh -
Arbitrary Command Execution in Pyodide based Python Code NodeGHSA-62r4-hw23-cc8v published
Dec 24, 2025 by csuermannCritical -
RCE via Arbitrary File WriteGHSA-v364-rw7m-3263 published
Jan 6, 2026 by csuermannCritical -
n8n Remote Code Execution via Expression InjectionGHSA-v98v-ff95-f3cp published
Dec 19, 2025 by csuermannCritical -
Unauthenticated File Access via Improper Webhook Request HandlingGHSA-v4pr-fm98-w9pg published
Jan 7, 2026 by csuermannCritical -
Remote Code Execution via Git Node Custom Pre-Commit HookGHSA-wpqc-h9wp-chmq published
Dec 8, 2025 by csuermannCritical -
Remote Code Execution via Git Node Pre-Commit HookGHSA-xgp7-7qjq-vg47 published
Oct 30, 2025 by csuermannHigh -
Possible Stored XSS in “Respond to Webhook” Node May Execute Outside SandboxGHSA-58jc-rcg5-95f3 published
Dec 26, 2025 by csuermannHigh -
Stored XSS in n8n LangChain Chat Trigger Node via initialMessages ParameterGHSA-mvh4-2cm2-6hpg published
Sep 14, 2025 by csuermannModerate
Learn more about advisories related to n8n-io/n8n in the GitHub Advisory Database