Overview · n8n-io/n8n · GitHub

Security

SECURITY.md

Reporting a Vulnerability

If you discover a (suspected) security vulnerability, please report it through our Vulnerability Disclosure Program.

XML Node Prototype Pollution Patch Bypass
GHSA-wrwr-h859-xh2r published May 13, 2026 by Jubke

Critical
Source Control Pull SQL Injection
GHSA-mhrx-qhrj-673w published May 13, 2026 by Jubke

High
Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints
GHSA-6h4j-wcr9-2vg7 published May 13, 2026 by Jubke

High
HTTP Request Node Pagination Prototype Pollution to RCE
GHSA-c8xv-5998-g76h published May 13, 2026 by Jubke

Critical
Arbitrary File Read via Git Node
GHSA-57g9-58c2-xjg3 published May 13, 2026 by Jubke

Critical
XML Node Prototype Pollution to RCE
GHSA-hqr4-h3xv-9m3r published Apr 22, 2026 by Jubke

Critical
RCE via SQL Mode of Merge Node
GHSA-58qr-rcgv-642v published Mar 25, 2026 by Jubke

Critical
Prototype Pollution in XML Webhook Body Parser Leads to RCE
GHSA-q5f4-99jv-pgg5 published Apr 22, 2026 by Jubke

Critical
Credential exfiltration via Allowed HTTP Request Domains Bypass
GHSA-3875-8gcx-7v46 published May 13, 2026 by Jubke

Moderate
XSS via MCP OAuth client
GHSA-537j-gqpc-p7fq published Apr 22, 2026 by Jubke

High

Learn more about advisories related to n8n-io/n8n in the GitHub Advisory Database