N8n

This hub aggregates every CVE we track for N8n, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting N8n.

• CVE-2026-56357n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger4.0Jun 22, 2026
• CVE-2026-56348n8n - Credential Exfiltration via Allowed HTTP Request Domains Bypass in Dynamic Node Parameters Endpoint9.1Jun 22, 2026
• CVE-2026-42237n8n: SQL Injection in Snowflake and MySQL Nodes8.8May 4, 2026
• CVE-2026-42236n8n: Unauthenticated Denial of Service via MCP Client Registration7.5May 4, 2026
• CVE-2026-42235n8n: XSS via MCP OAuth client9.6May 4, 2026
• CVE-2026-42234n8n: Python Task Runner Sandbox Escape8.8May 4, 2026
• CVE-2026-42233n8n: SQL Injection in Oracle Database Node via Limit Field9.8May 4, 2026
• CVE-2026-42232n8n: XML Node Prototype Pollution to RCE8.8May 4, 2026
• CVE-2026-42231n8n: Prototype Pollution in XML Webhook Body Parser Leads to RCE8.8May 4, 2026
• CVE-2026-42230n8n: Open Redirect in MCP OAuth Consent Flow6.1May 4, 2026
• CVE-2026-42229n8n: SQL Injection in SeaTable Node8.8May 4, 2026
• CVE-2026-42228n8n: Hijacking of Unauthenticated Chat Execution6.5May 4, 2026
• CVE-2026-42227n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure6.5May 4, 2026
• CVE-2026-42226n8n: Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay7.5May 4, 2026
• CVE-2026-33751n8n Vulnerable to LDAP Filter Injection in LDAP Node4.8Mar 25, 2026