Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.4
n8n: Untrusted Users Can Run Harmful Code on Server
CVE-2026-27497
GHSA-wxx7-mcgf-j869
Summary
A user with permission to edit workflows can run unauthorized code on the server. To fix this, update to a newer version of n8n, version 2.10.1 or later. If an update isn't possible, limit who can edit workflows and temporarily disable the Merge node.
What to do
- Update GitHub Actions n8n to version 1.123.22.
- Update GitHub Actions n8n to version 2.9.3.
- Update GitHub Actions n8n to version 2.10.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | n8n | <= 1.123.22 | 1.123.22 |
| GitHub Actions | n8n | > 2.0.0 , <= 2.9.3 | 2.9.3 |
| GitHub Actions | n8n | > 2.10.0 , <= 2.10.1 | 2.10.1 |
| n8n | n8n | <= 1.123.22 | – |
| n8n | n8n | > 2.0.0 , <= 2.9.3 | – |
| n8n | n8n | > 2.10.0 , <= 2.10.1 | – |
Original title
n8n has Potential Remote Code Execution via Merge Node
Original description
## Impact
An authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the n8n server.
## Patches
The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities.
## Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
An authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the n8n server.
## Patches
The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities.
## Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
nvd CVSS3.1
8.8
nvd CVSS4.0
9.4
Vulnerability type
CWE-89
SQL Injection
CWE-94
Code Injection
- https://nvd.nist.gov/vuln/detail/CVE-2026-27497
- https://github.com/advisories/GHSA-wxx7-mcgf-j869
- https://github.com/n8n-io/n8n/releases/tag/[email protected] Release Notes
- https://github.com/n8n-io/n8n/releases/tag/[email protected] Release Notes
- https://github.com/n8n-io/n8n/releases/tag/[email protected] Release Notes
- https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869 Vendor Advisory
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026