Critical Vulnerabilities in n8n Workflow Automation Tool

Multiple critical vulnerabilities have been discovered in n8n, an extendable, node-based workflow automation tool used for connecting SaaS applications and automating complex business logic. These vulnerabilities, identified as CVE-2026-33696, CVE-2026-33660, and CVE-2026-33713, can be exploited by authenticated users. Successful exploitation allows for remote code execution on the host system, reading sensitive local files, and performing unauthorized database operations. The vulnerabilities affect the XML, GSuiteAdmin, and Merge nodes, as well as the Data Table Get node. These flaws represent a critical threat to the confidentiality and integrity of n8n deployments. The Centre for Cybersecurity Belgium (CCB) strongly recommends immediate patching.

Attack Chain

1. Attacker authenticates to an n8n instance.
2. For CVE-2026-33696, the attacker crafts a malicious request targeting the XML or GSuiteAdmin node to write values to Object.prototype.
3. For CVE-2026-33660, the attacker uses the Merge node with the “Combine by SQL” mode and exploits the AlaSQL sandbox escape to inject arbitrary code.
4. For CVE-2026-33713, the attacker crafts a malicious SQL query via the Data Table Get node.
5. The injected code or SQL commands are executed by the n8n server.
6. The attacker gains the ability to read sensitive files from the host system.
7. The attacker executes arbitrary commands on the host, leading to full remote code execution.
8. The attacker performs unauthorized operations in the database, potentially modifying or deleting data.

Impact

Successful exploitation of these vulnerabilities allows an attacker to gain full remote code execution on the n8n host system, potentially compromising the entire server infrastructure. The attacker can also read sensitive local files, potentially exposing credentials and configuration data. In PostgreSQL deployments, the attacker can modify and delete data due to multi-statement execution capabilities via SQL injection (CVE-2026-33713). This can lead to significant data loss and disruption of services relying on the n8n platform.

Recommendation

• Immediately patch n8n instances to the latest version to address CVE-2026-33696, CVE-2026-33660, and CVE-2026-33713 (reference: CCB advisory).
• Implement the provided Sigma rules to detect potential exploitation attempts in your n8n environment.
• Monitor n8n logs for suspicious SQL queries and code execution patterns, focusing on the Data Table Get and Merge nodes (reference: CVE-2026-33713 and CVE-2026-33660 descriptions).
• Review n8n access controls and ensure the principle of least privilege to minimize the impact of potential exploitation.