RCE in N8n-io N8n

CVE-2026-33660

n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could use the Merge node's "Combine by SQL" mode to read local files on…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.001 (23.6th percentile) — read the EPSS interpretation.

Affected products

N8n-io N8n — versions < 1.123.27, >= 2.0.0-rc.0, < 2.13.3, = 2.14.0

Weakness classification (CWE)

CWE-94 — Code Injection

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v (x_refsource_CONFIRM)