Download
Security Advisory; NCSC-2026-0248 [1.0.0]
- Security Advisory
- NCSC-2026-0248 [1.0.0]
- Publicatie
- 17-07-2026 16:31 (Europe/Amsterdam)
- Prioriteit
- Normaal
- Betreft
- Kwetsbaarheden verholpen in n8n workflow automation platform
Kenmerken
- Improper Input Validation
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- Improper Control of Generation of Code ('Code Injection')
- Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
- Improper Privilege Management
- Improper Access Control
- Improper Authorization
- Improper Authentication
- Authentication Bypass by Spoofing
- Insufficient Verification of Data Authenticity
- Exposure of Sensitive System Information to an Unauthorized Control Sphere
- Protection Mechanism Failure
- Improper Control of Dynamically-Managed Code Resources
- OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
- OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Omschrijving
n8n heeft meerdere kwetsbaarheden verholpen in het n8n workflow automation platform, specifiek in versies voor 2.10.1, 2.9.3, 1.123.22 en andere gerelateerde releases.
De kwetsbaarheden betreffen verschillende componenten binnen n8n, waaronder de Form nodes, Python Code node, JavaScript Task Runner sandbox, Merge node, Read/Write Files from Disk node, workflow expression evaluatie, core workflow editing functionaliteit, GitHub Webhook Trigger node, ZendeskTrigger node, Guardrail node en Chat Trigger node.
- Ongeauthenticeerde en geauthenticeerde gebruikers kunnen onder bepaalde voorwaarden arbitrary code injecteren en uitvoeren, soms via sandbox escapes, wat leidt tot remote code execution op het host-systeem.
- Kwetsbaarheden in nodes zoals Merge node en Read/Write Files from Disk node stellen geauthenticeerde gebruikers met workflow bewerkingsrechten in staat om bestanden te schrijven en shell-commando's uit te voeren.
- Webhook nodes (GitHub en ZendeskTrigger) missen HMAC-SHA256 handtekening verificatie, waardoor onbevoegde POST-requests kunnen worden verzonden die workflows triggeren.
- Authenticatie bypass kwetsbaarheden in SSO en Chat Trigger nodes maken het mogelijk om beveiligingsmechanismen te omzeilen en ongeautoriseerde toegang te verkrijgen.
- Input validatie in de Guardrail node kan worden omzeild, wat de integriteit van workflows kan aantasten.
Deze kwetsbaarheden zijn aanwezig in meerdere versies en releases van n8n en zijn gerelateerd aan workflow creatie, modificatie en uitvoering, waarbij misbruik kan leiden tot het overnemen van het host-systeem, het manipuleren van workflows en het omzeilen van authenticatiecontroles.
Oplossingen
n8n heeft updates uitgebracht in versies 2.10.1, 2.9.3, 1.123.22, 2.8.0, 1.123.15, 2.5.0, 1.123.18, 2.6.2 en 2.10.0 om de genoemde kwetsbaarheden te verhelpen. Voor omgevingen waar directe upgrade niet mogelijk is, zijn tijdelijke mitigaties beschikbaar, zoals het beperken van gebruikersrechten en het uitschakelen van bepaalde nodes. Zie bijgevoegde referenties voor meer informatie.
Referenties
- https://github.com/n8n-io/n8n/security/advisories/GHSA-2p9h-rqjw-gm92
- https://github.com/n8n-io/n8n/security/advisories/GHSA-38c7-23hj-2wgq
- https://github.com/n8n-io/n8n/security/advisories/GHSA-75g8-rv7v-32f7
- https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx
- https://github.com/n8n-io/n8n/security/advisories/GHSA-fvfv-ppw4-7h2w
- https://github.com/n8n-io/n8n/security/advisories/GHSA-jh8h-6c9q-7gmw
- https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23
- https://github.com/n8n-io/n8n/security/advisories/GHSA-mmgg-m5j7-f83h
- https://github.com/n8n-io/n8n/security/advisories/GHSA-mqpr-49jj-32rc
- https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp
- https://github.com/n8n-io/n8n/security/advisories/GHSA-vjf3-2gpj-233v
- https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr
- https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869
- https://github.com/n8n-io/n8n/security/advisories/GHSA-x2mw-7j39-93xq
CVE's
- CVE-2026-27493 - CVSS (v4) 9.5
- CVE-2026-27494 - CVSS (v4) 7.1
- CVE-2026-27495 - CVSS (v4) 9.4
- CVE-2026-27497 - CVSS (v4) 9.4
- CVE-2026-27498 - CVSS (v4) 9.0
- CVE-2026-27577 - CVSS (v4) 9.4
- CVE-2026-27578 - CVSS (v4) 8.5
- CVE-2026-56357 - CVSS (v4) 6.3
- CVE-2026-56350 - CVSS (v4) 6.0
- CVE-2026-56360 - CVSS (v4) 6.9
- CVE-2026-56349 - CVSS (v4) 6.3
- CVE-2026-56353 - CVSS (v4) 6.3
Producten
n8n
Disclaimer
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.