The n8n team published two security advisories on March 25, 2026, both rated CVSS 4.0 9.4. CVE-2026-33660 allows remote code execution through the Merge node's SQL mode. CVE-2026-33696 achieves the same result through prototype pollution in the GSuiteAdmin and XML nodes.
Both vulnerabilities require authentication and workflow editing permissions. Both are patched in n8n versions 2.14.1, 2.13.3, and 1.123.27.
The project has accumulated over 181,000 GitHub stars and more than 100 million Docker Hub image pulls.
All self-hosted n8n installations below versions 2.14.1, 2.13.3, or 1.123.27 are affected. Update immediately. If update is not possible, disable the Merge node (NODES_EXCLUDE=n8n-nodes-base.merge) and the XML node (NODES_EXCLUDE=n8n-nodes-base.xml) via environment variables.
Why n8n is a high-value target
n8n is an open-source workflow automation platform with over 400 integrations. Its architecture revolves around nodes, modular blocks that perform API calls, data processing, and notifications. Workflows store credentials for external services, including AWS credentials, Slack tokens, and database connection strings. Compromising the n8n server hands an attacker every secret at once.
Organizations ranging from startups to large enterprises deploy n8n for internal automation. Many deployments run with elevated privileges to access internal APIs, databases, and cloud services. A single compromised workflow can cascade access across the entire infrastructure. The n8n team maintains three parallel release branches (current, previous stable, and legacy 1.x), which complicates patch distribution.
CVE-2026-33660: code execution via AlaSQL in the Merge node
The Merge node offers a "Combine by SQL" mode for joining data from multiple inputs. Under the hood, n8n uses AlaSQL, a JavaScript SQL engine that processes JSON objects in memory. AlaSQL was built for browser-side analytics, not for executing untrusted input on a server.
AlaSQL treats JavaScript functions as first-class citizens within SQL expressions. The engine supports the REQUIRE keyword, filesystem operations through built-in fs handlers, and access to object constructors via the prototype chain. Before the fix, n8n loaded AlaSQL in the main Node.js process with full access to require(), child_process, and the server filesystem.
The vulnerability is classified as CWE-94 (Improper Control of Code Generation). CVSS 4.0 score is 9.4. The CVSS 3.1 vector uses Changed scope (S:C). Compromise extends beyond the n8n process to the host system and all credentials.
Attack chain for CVE-2026-33660
An attacker with workflow editing permissions creates a Merge node in "Combine by SQL" mode. Instead of a standard SELECT, the attacker injects a query that traverses the JavaScript constructor chain to invoke child_process.execSync(). The test case added in PR #26364 demonstrates the pattern:
SELECT {}.constructor->constructor->[call]('',
'return {result: process.getBuiltinModule("child_process")
.execSync("ls").toString()}') as toJSONAlaSQL's built-in filesystem functions open two additional vectors. An attacker can read /etc/passwd, the n8n configuration file, or credential encryption keys at ~/.n8n/config. Through export functions, an attacker can write a malicious JS file to a web-accessible directory and trigger it via HTTP for persistent access. The n8n encryption key (used to decrypt all stored credentials) is the most valuable target on the filesystem.
CVE-2026-33660 requires no victim interaction. Attack complexity is low.
The patch for CVE-2026-33660
PR #26364 (author michael-radency, reviewer DawidMyslak, merged March 3, 2026) redesigned SQL execution at the architecture level. AlaSQL now runs inside a separate V8 isolate with a 64 MB memory limit. The code loads the browser build of AlaSQL (alasql/dist/alasql.min.js), a bundle that does not contain fs or require handlers.
// packages/nodes-base/nodes/Merge/v3/helpers/sandbox-utils.ts
const alasqlBundlePath = require.resolve('alasql/dist/alasql.min.js');
await sandboxContext.eval(await readFile(alasqlBundlePath, 'utf-8'));
await sandboxContext.eval('Object.freeze(alasql.fn)');Table data crosses the security boundary via double JSON serialization. Inside the isolate, data is parsed from a string literal rather than passed as live objects. The double-stringify pattern ensures no prototype chain references leak into the sandbox.
Any attempt to access process, require, or child_process from inside the isolate throws an exception. SQL queries are subject to a 5-second execution timeout.
After loading the bundle, the code calls Object.freeze(alasql.fn) to prevent user-defined functions from leaking between workflows. This was a regression fix flagged during code review. The earlier implementation (commit 79f1cca) had frozen alasql.fn, but the new isolated-vm code initially omitted it.
This is at least the third RCE through AlaSQL in n8n's Merge node. CVE-2026-27497 described a similar code execution and file write issue earlier in 2026. CVE-2026-27577 also targeted the same component. Each time, developers addressed individual vectors until PR #26364 eliminated the entire class of attack by moving execution into an isolated-vm sandbox.
Prior fix attempts
n8n had already attempted to close this vector. Commit 79f1cca (October 21, 2025, PR #20858, co-authored by Elias Meire) blocked AlaSQL filesystem operations. The JavaScript constructor chain vector remained open. CVE-2026-33660 resulted from that gap.
PR #26364 was first released in n8n 2.11.1 on March 4, 2026. The advisory published three weeks later lists fixed versions 2.14.1, 2.13.3, and 1.123.27, representing backports across three release branches. Instances running 2.11.1 through 2.14.0 on the main branch already contain the isolated-vm fix from that PR.
CVE-2026-33696: prototype pollution in GSuiteAdmin and XML nodes
The GSuiteAdmin (Google Workspace Admin) and XML nodes accept user-supplied parameters for domain management and XML parsing. An attacker can supply a crafted object with __proto__ or constructor.prototype properties as node configuration.
When n8n processes these parameters without sanitization, it writes attacker-controlled values onto Object.prototype. Every JavaScript object in the Node.js process inherits these values. The pollution persists until the process restarts.
The vulnerability is classified as CWE-1321 (Prototype Pollution). CVSS 4.0 score is 9.4, with Changed scope (S:C) in the CVSS 3.1 vector.
How prototype pollution escalates to RCE
Prototype pollution alone does not execute code. In n8n, it escalates through a gadget chain. The attacker injects properties inherited by all newly created objects in the Node.js process.
Polluted prototype properties alter the behavior of n8n's expression evaluation system. Through a sequence of existing calls in the codebase, modified properties lead to arbitrary command execution.
n8n has encountered prototype pollution before. CVE-2025-68613 affected the expression evaluation system. PR #12588 patched pollution in the task runner. CVE-2026-33696 uncovered a new vector through GSuiteAdmin and XML node parameters.
No public proof of concept exists for CVE-2026-33696. The patch commit has not appeared in a public pull request. Exploitation likely requires knowledge of specific gadget chains in n8n's codebase, which raises the bar for opportunistic attackers but not for targeted ones.
The patch for CVE-2026-33696
The advisory recommends upgrading to 2.14.1, 2.13.3, or 1.123.27. No specific patch commit is referenced publicly. The standard fix for prototype pollution involves filtering __proto__, constructor, and prototype keys from user input. An alternative approach creates objects via Object.create(null) to eliminate the prototype chain entirely.
As a temporary workaround, disable the XML node via NODES_EXCLUDE=n8n-nodes-base.xml. The advisory targets the XML node rather than GSuiteAdmin, even though both are affected. The XML node likely has a wider attack surface because it processes arbitrary external documents. GSuiteAdmin requires Google Workspace credentials and is less commonly deployed.
Pattern of critical vulnerabilities
Between November 2025 and March 2026, n8n released more than a dozen patches rated High to Critical.
| CVE | CVSS | Description |
|---|---|---|
| CVE-2026-21858 | 10.0 | Unauthenticated RCE via content-type confusion in webhooks (Ni8mare). Discovered by Dor Attias, Cyera Research Labs |
| CVE-2025-68613 | 9.9 | RCE via expression injection in the expression evaluation system |
| CVE-2026-25049 | High | System command execution through malicious workflows |
| CVE-2026-27497 | Critical | RCE through AlaSQL in Merge node with file write |
| CVE-2026-27577 | N/A | RCE through AlaSQL integration in Merge node |
| CVE-2026-27496 | High | In-process memory disclosure in JavaScript Task Runner |
| CVE-2026-33660 | 9.4 | RCE via AlaSQL constructor chain in Merge node (this advisory) |
| CVE-2026-33696 | 9.4 | Prototype pollution to RCE via GSuiteAdmin/XML nodes (this advisory) |
The attack surface grows alongside the number of nodes and integrations. n8n ships over 400 nodes, each accepting user-controlled parameters that interact with Node.js internals. The AlaSQL sandbox escape was fixed three times before the team moved to an isolated-vm architecture. Prototype pollution was resolved in the expression engine and the task runner before it resurfaced in GSuiteAdmin and XML parameters. Node-level input sanitization needs a platform-wide approach rather than per-node fixes.
Who is at risk
All self-hosted n8n installations below the patched versions are vulnerable. The cloud version is updated centrally. Most exposed are organizations that grant workflow creation to many employees.
Instances running n8n as a central automation hub face the highest risk. A single compromised workflow can access every credential held in the instance. Organizations running n8n with root privileges or without network isolation are especially vulnerable because the attacker gains unrestricted filesystem and network access after exploitation.
Recommendations
Update n8n to version 2.14.1, 2.13.3, or 1.123.27 depending on your release branch. Restrict workflow creation and editing to fully trusted users only.
If immediate upgrade is not possible, disable the Merge node (NODES_EXCLUDE=n8n-nodes-base.merge) and the XML node (NODES_EXCLUDE=n8n-nodes-base.xml). These workarounds block the specific attack vectors but do not address the underlying architectural issues.
Audit all stored credentials. If the installation was accessible to untrusted users, rotate every key and token stored in n8n. AWS access keys, Slack OAuth tokens, database connection strings, and SMTP credentials all require rotation.
Run n8n in a container with restricted privileges, no root access, and minimal network permissions. Deploy behind a reverse proxy with authentication, even for internal use. Limit the container's filesystem access to prevent credential file reads.
Monitor n8n's GitHub security advisories for future disclosures. The frequency of critical patches (eight CVEs in five months) suggests that additional vulnerabilities may surface as researchers continue auditing the platform's 400+ nodes.
Attribution
CVE-2026-33660 was discovered by researchers duddnr0615k, simonkoeck, c0rydoras, and nil340. CVE-2026-33696 was discovered by simonkoeck. Jubke from the n8n security team published both advisories.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
