n8n Workflow Tool Critical Vulnerabilities
Summary
CERT-Bund has issued a security advisory for the n8n workflow automation tool, highlighting critical vulnerabilities with a CVSS score of 9.9. The advisory affects versions prior to n8n <2.13.4 and warns of potential remote attacks leading to privilege escalation, code execution, and data manipulation.
What changed
CERT-Bund has issued a critical security advisory (WID-SEC-2026-0877) concerning multiple vulnerabilities in the n8n workflow automation tool. The vulnerabilities, rated with a CVSS Base Score of 9.9, allow remote attackers to gain elevated privileges, execute arbitrary code, manipulate data, bypass security measures, disclose confidential information, and conduct cross-site or man-in-the-middle attacks. The advisory affects n8n versions prior to 2.13.4 and applies to UNIX and Windows operating systems.
Organizations using n8n should immediately update to a patched version or implement available mitigations to prevent exploitation. Failure to address these vulnerabilities could lead to severe security breaches, including unauthorized access to sensitive data and system compromise. The advisory indicates that remote attacks are possible, emphasizing the urgency of applying updates or mitigations.
What to do next
- Update n8n to version 2.13.4 or later
- Implement available security mitigations if immediate update is not possible
Source document (simplified)
[WID-SEC-2026-0877] n8n: Mehrere Schwachstellen CVSS Base Score 9.9 (kritisch) CVSS Temporal Score 8.6 (hoch) Remoteangriff ja Datum 25.03.2026 Stand 26.03.2026 Mitigation ja
Betroffene Systeme
Betriebssystem
- Sonstiges
- UNIX
- Windows
Produktbeschreibung
n8n ist ein Workflow-Automatisierungstool, mit dem verschiedene Anwendungen und Dienste miteinander verbunden werden können, um Aufgaben zu automatisieren.
Produkte
25.03.2026
- n8n n8n <2.13.4
- n8n n8n
Angriff
Angriff
Ein Angreifer kann mehrere Schwachstellen in n8n ausnutzen, um erweiterte Privilegien, einschließlich Administratorrechte, zu erlangen, um beliebigen Code auszuführen, Daten zu manipulieren, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen oder Cross-Site- und Man-in-the-Middle-Angriffe durchzuführen. CVE Informationen Versionshistorie Feedback zum Advisory geben
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Data Privacy & Cybersecurity alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when CERT-Bund Security Advisories publishes new changes.