Description
n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the n8n server. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Published: 2026-02-25
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Upgrade Now
AI Analysis

Impact

n8n, an open source workflow automation platform, contains a flaw in the Merge node that, when set to SQL query mode, allows an authenticated user with workflow creation or editing permissions to execute arbitrary user‑provided code and write files on the server. The problem is due to unsanitized inputs in the SQL interpreter, enabling code injection (CWE‑94) and command injection (CWE‑89). With this ability the attacker can compromise the entire n8n installation, gaining full control over the host, reading and modifying sensitive data, and installing malware.

Affected Systems

The issue affects the n8n product from the vendor n8n‑io. Versions older than 2.10.1, 2.9.3, and 1.123.22 are vulnerable. All installations that run these versions and have a Merge node exposed to users with permission to create or edit workflows are at risk.

Risk and Exploitability

The CVSS score is 9.4, indicating high severity. The EPSS score is less than 1 %, meaning exploitation is considered unlikely at present, and the vulnerability is not listed in CISA’s KEV catalog. The most likely attack vector is authenticated exploitation via a valid user account with workflow modification rights; a compromise does not require network exposure as the vulnerable functionality runs on the server itself. Because the flaw permits arbitrary code execution and file writes, the impact is complete compromise of the affected system once the attacker succeeds.

Generated by OpenCVE AI on April 17, 2026 at 14:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to n8n v2.10.1, v2.9.3, or v1.123.22 or later to apply the fix.
  • Restrict workflow creation and editing permissions to trusted users only.
  • Disable the Merge node by adding n8n-nodes-base.merge to the NODES_EXCLUDE environment variable.

Generated by OpenCVE AI on April 17, 2026 at 14:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wxx7-mcgf-j869 n8n has Potential Remote Code Execution via Merge Node
History

Wed, 04 Mar 2026 03:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 28 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 25 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the n8n server. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Title n8n has Potential Remote Code Execution via Merge Node
Weaknesses CWE-89
CWE-94
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T19:35:29.529Z

Reserved: 2026-02-19T19:46:03.542Z

Link: CVE-2026-27497

cve-icon Vulnrichment

Updated: 2026-02-26T19:35:24.166Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T23:16:21.037

Modified: 2026-03-04T03:35:58.510

Link: CVE-2026-27497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses