Critical n8n RCE Vulnerability (CVE-2024-29023) Patched
Key Takeaways A critical remote code execution (RCE) vulnerability, CVE-2026-33660, has been discovered in n8n, an open-source workflow automation platform. The flaw allows authenticated attackers to...
Key Takeaways
- A critical remote code execution (RCE) vulnerability, CVE-2026-33660, has been discovered in n8n, an open-source workflow automation platform.
- The flaw allows authenticated attackers to bypass security sandboxes within the “Merge” node, leading to full host server compromise.
- The vulnerability carries a Critical severity rating (CVSS 3.1 and 4.0) and requires only low-level privileges for exploitation.
- N8n has released patches; immediate updates are strongly recommended for all users.
Critical RCE Flaw in n8n Exposes Host Servers to Full Compromise
A significant security vulnerability has been identified within n8n, a popular open-source platform for workflow automation, potentially allowing for remote code execution (RCE) on host servers. This critical flaw poses a severe risk to organizations leveraging n8n for their automated processes.
Table Of Content
Designated as CVE-2026-33660, the vulnerability enables authenticated attackers to circumvent existing security controls, access sensitive data, and ultimately gain complete control over the underlying server instance hosting n8n.
AlaSQL Sandbox Escape Facilitates Server Takeover
The root cause of this vulnerability lies within the “Merge” node of n8n workflows, specifically when users activate the “Combine by SQL” mode. N8n utilizes an AlaSQL sandbox to ensure the safe execution of SQL operations. However, security researchers found that this sandbox inadequately restricts certain SQL statements.
Due to improper control over code generation from external input (classified as CWE-94: Code Injection), attackers can inject malicious instructions through this node. If an attacker possesses the basic permission to create or modify workflows, they can exploit this sandbox escape to read local files directly from the n8n host system.
This initial access can then be escalated to execute arbitrary code remotely, granting attackers deep administrative privileges on the server infrastructure.
Both CVSS 3.1 and CVSS 4.0 frameworks assign a Critical severity rating to CVE-2026-33660, underscoring the severe threat it presents to enterprise automation environments. The attack vector is strictly network-based and has low complexity. Alarmingly, exploitation requires no user interaction and only necessitates low-level privileges.
Once an attacker compromises any account with workflow editing capabilities, they can pivot to a full server takeover, thereby compromising the confidentiality, integrity, and availability of the entire system.
The n8n development team has officially released patches for this issue in their latest GitHub releases. Security teams and system administrators are strongly advised to update their n8n instances immediately to prevent potential exploitation.
What You Should Do
- Apply Patches Immediately: Update your n8n instances to the latest patched versions as soon as possible. This is the only permanent solution.
- Audit User Permissions: Review and strictly limit workflow creation and modification permissions to only fully trusted personnel.
- Implement Temporary Mitigations (If Patching is Delayed):
- Disable the vulnerable component by adding
n8n-nodes-base.mergeto theNODES_EXCLUDEenvironment variable.
- Disable the vulnerable component by adding
- Monitor for Suspicious Activity: Regularly monitor n8n logs and server activity for any signs of unauthorized access or unusual behavior.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.