Nixpkgs security tracker

Published

Permalink CVE-2026-54302

7.0 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): Passive (P)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Passive (P)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 1 day, 1 hour ago by @LeSuisse Activity log

Created suggestion 1 day, 10 hours ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
1 day, 1 hour ago
@LeSuisse accepted 1 day, 1 hour ago
@LeSuisse published on GitHub 1 day, 1 hour ago

n8n: Stored XSS in Chat Trigger Node

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When a logged-in user visited the chat URL, the injected code executed in the n8n origin with that user's session privileges. This vulnerability is fixed in 1.123.55, 2.25.7, and 2.26.2.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-42h7-m79w-wvg5 x_refsource_CONFIRM

Affected products

n8n

==>= 2.0.0-rc.0, < 2.25.7
==>= 2.26.0, < 2.26.2
==< 1.123.55

Matching in nixpkgs

pkgs.n8n

Free and source-available fair-code licensed workflow automation tool

nixos-unstable 2.20.6
- nixpkgs-unstable 2.23.4
- nixos-unstable-small 2.23.4
nixos-26.05 2.22.5
- nixos-26.05-small 2.22.5
- nixpkgs-26.05-darwin 2.22.5

Ignored packages (3)

pkgs.n8n-nodes-carbonejs

n8n community node for rendering Word templates using Carbone.js

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-26.05 1.3.0
- nixos-26.05-small 1.3.0
- nixpkgs-26.05-darwin 1.3.0

pkgs.n8n-nodes-evolution-api

Evolution API hub for WhatsApp integration with n8n

nixos-unstable 1.0.4
- nixpkgs-unstable 1.0.4
- nixos-unstable-small 1.0.4
nixos-26.05 1.0.4
- nixos-26.05-small 1.0.4
- nixpkgs-26.05-darwin 1.0.4

pkgs.n8n-task-runner-launcher

Launcher for n8n task runners

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.6
- nixos-unstable-small 1.4.6
nixos-26.05 1.4.5
- nixos-26.05-small 1.4.5
- nixpkgs-26.05-darwin 1.4.5

Package maintainers

@sweenu sweenu <contact@sweenu.xyz>
@wrbbz Arsenii Zorin <me@wrb.bz>
@AdrienLemaire Adrien Lemaire <lemaire.adrien@gmail.com>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>

Published

Permalink CVE-2026-54310

6.5 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): High (H)
Subsequent System Impact Integrity (SI): High (H)
Subsequent System Impact Availability (SA): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): High (H)
Modified Subsequent System Impact Integrity (MSI): High (H)
Modified Subsequent System Impact Availability (MSA): High (H)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 1 day, 1 hour ago by @LeSuisse Activity log

Created suggestion 1 day, 10 hours ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
1 day, 1 hour ago
@LeSuisse accepted 1 day, 1 hour ago
@LeSuisse published on GitHub 1 day, 1 hour ago

n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, an authenticated user with permission to create or modify workflows could supply a crafted parameters to the TimescaleDB and/or legacy Postgres v1 node's allowing arbitrary SQL to be injected and executed against the connected database within the privileges of the configured database account. This vulnerability is fixed in 2.25.7 and 2.26.2.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-c37g-w77q-m4vp x_refsource_CONFIRM

Affected products

n8n

==>= 2.26.0, < 2.26.2
==< 2.25.7

Matching in nixpkgs

pkgs.n8n

Free and source-available fair-code licensed workflow automation tool

nixos-unstable 2.20.6
- nixpkgs-unstable 2.23.4
- nixos-unstable-small 2.23.4
nixos-26.05 2.22.5
- nixos-26.05-small 2.22.5
- nixpkgs-26.05-darwin 2.22.5

Ignored packages (3)

pkgs.n8n-nodes-carbonejs

n8n community node for rendering Word templates using Carbone.js

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-26.05 1.3.0
- nixos-26.05-small 1.3.0
- nixpkgs-26.05-darwin 1.3.0

pkgs.n8n-nodes-evolution-api

Evolution API hub for WhatsApp integration with n8n

nixos-unstable 1.0.4
- nixpkgs-unstable 1.0.4
- nixos-unstable-small 1.0.4
nixos-26.05 1.0.4
- nixos-26.05-small 1.0.4
- nixpkgs-26.05-darwin 1.0.4

pkgs.n8n-task-runner-launcher

Launcher for n8n task runners

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.6
- nixos-unstable-small 1.4.6
nixos-26.05 1.4.5
- nixos-26.05-small 1.4.5
- nixpkgs-26.05-darwin 1.4.5

Package maintainers

@sweenu sweenu <contact@sweenu.xyz>
@wrbbz Arsenii Zorin <me@wrb.bz>
@AdrienLemaire Adrien Lemaire <lemaire.adrien@gmail.com>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>

Published

Permalink CVE-2026-49465

6.0 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): Low (L)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Low (L)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 1 day, 1 hour ago by @LeSuisse Activity log

Created suggestion 1 day, 10 hours ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
1 day, 1 hour ago
@LeSuisse accepted 1 day, 1 hour ago
@LeSuisse published on GitHub 1 day, 1 hour ago

n8n: Git Node Clone and Push Operations Bypass File Sandbox

n8n is an open source workflow automation platform. Prior to 1.123.48, 2.21.8, and 2.22.4, an authenticated user with permission to create or modify workflows could supply a local filesystem path as the source repository in the Git node's Clone operation, or as the target repository in the Push operation, bypassing the N8N_RESTRICT_FILE_ACCESS_TO file sandbox. This allowed the contents of any local git repository accessible to the n8n process to be cloned into an allowed path and read, circumventing the access restrictions that correctly blocked direct file reads to the same paths. This vulnerability is fixed in 1.123.48, 2.21.8, and 2.22.4.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-5xp3-2w67-427v x_refsource_CONFIRM

Affected products

n8n

==< 1.123.48
==>= 2.0.0-rc.0, < 2.21.8
==>= 2.22.0, < 2.22.4

Matching in nixpkgs

pkgs.n8n

Free and source-available fair-code licensed workflow automation tool

nixos-unstable 2.20.6
- nixpkgs-unstable 2.23.4
- nixos-unstable-small 2.23.4
nixos-26.05 2.22.5
- nixos-26.05-small 2.22.5
- nixpkgs-26.05-darwin 2.22.5

Ignored packages (3)

pkgs.n8n-nodes-carbonejs

n8n community node for rendering Word templates using Carbone.js

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-26.05 1.3.0
- nixos-26.05-small 1.3.0
- nixpkgs-26.05-darwin 1.3.0

pkgs.n8n-nodes-evolution-api

Evolution API hub for WhatsApp integration with n8n

nixos-unstable 1.0.4
- nixpkgs-unstable 1.0.4
- nixos-unstable-small 1.0.4
nixos-26.05 1.0.4
- nixos-26.05-small 1.0.4
- nixpkgs-26.05-darwin 1.0.4

pkgs.n8n-task-runner-launcher

Launcher for n8n task runners

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.6
- nixos-unstable-small 1.4.6
nixos-26.05 1.4.5
- nixos-26.05-small 1.4.5
- nixpkgs-26.05-darwin 1.4.5

Package maintainers

@sweenu sweenu <contact@sweenu.xyz>
@wrbbz Arsenii Zorin <me@wrb.bz>
@AdrienLemaire Adrien Lemaire <lemaire.adrien@gmail.com>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>

Published

Permalink CVE-2026-54313

6.5 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): High (H)
Subsequent System Impact Integrity (SI): High (H)
Subsequent System Impact Availability (SA): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): High (H)
Modified Subsequent System Impact Integrity (MSI): High (H)
Modified Subsequent System Impact Availability (MSA): High (H)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 1 day, 1 hour ago by @LeSuisse Activity log

Created suggestion 1 day, 10 hours ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
1 day, 1 hour ago
@LeSuisse accepted 1 day, 1 hour ago
@LeSuisse published on GitHub 1 day, 1 hour ago

n8n: NoSQL Injection in MongoDB Node Find And Replace Operation

n8n is an open source workflow automation platform. Prior to 2.24.0, an authenticated user with workflow edit access could supply a malicious filter value in the MongoDB node's Find And Replace operation. The value was not validated before being passed to MongoDB as a query filter, allowing unintended documents to be matched and overwritten with attacker-controlled content. This vulnerability is fixed in 2.24.0.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-jpq7-226w-6cxx x_refsource_CONFIRM

Affected products

n8n

==< 2.24.0

Matching in nixpkgs

pkgs.n8n

Free and source-available fair-code licensed workflow automation tool

nixos-unstable 2.20.6
- nixpkgs-unstable 2.23.4
- nixos-unstable-small 2.23.4
nixos-26.05 2.22.5
- nixos-26.05-small 2.22.5
- nixpkgs-26.05-darwin 2.22.5

Ignored packages (3)

pkgs.n8n-nodes-carbonejs

n8n community node for rendering Word templates using Carbone.js

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-26.05 1.3.0
- nixos-26.05-small 1.3.0
- nixpkgs-26.05-darwin 1.3.0

pkgs.n8n-nodes-evolution-api

Evolution API hub for WhatsApp integration with n8n

nixos-unstable 1.0.4
- nixpkgs-unstable 1.0.4
- nixos-unstable-small 1.0.4
nixos-26.05 1.0.4
- nixos-26.05-small 1.0.4
- nixpkgs-26.05-darwin 1.0.4

pkgs.n8n-task-runner-launcher

Launcher for n8n task runners

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.6
- nixos-unstable-small 1.4.6
nixos-26.05 1.4.5
- nixos-26.05-small 1.4.5
- nixpkgs-26.05-darwin 1.4.5

Package maintainers

@sweenu sweenu <contact@sweenu.xyz>
@wrbbz Arsenii Zorin <me@wrb.bz>
@AdrienLemaire Adrien Lemaire <lemaire.adrien@gmail.com>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>

Published

Permalink CVE-2026-54308

6.3 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): Low (L)
Subsequent System Impact Integrity (SI): Low (L)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Low (L)
Modified Subsequent System Impact Integrity (MSI): Low (L)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 1 day, 1 hour ago by @LeSuisse Activity log

Created suggestion 1 day, 10 hours ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
1 day, 1 hour ago
@LeSuisse accepted 1 day, 1 hour ago
@LeSuisse published on GitHub 1 day, 1 hour ago

n8n: Missing Token Validation on Microsoft Agent 365 Trigger Node

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. This vulnerability is fixed in 2.25.7 and 2.26.2.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-jvc7-762p-3743 x_refsource_CONFIRM

Affected products

n8n

==>= 2.26.0, < 2.26.2
==< 2.25.7

Matching in nixpkgs

pkgs.n8n

Free and source-available fair-code licensed workflow automation tool

nixos-unstable 2.20.6
- nixpkgs-unstable 2.23.4
- nixos-unstable-small 2.23.4
nixos-26.05 2.22.5
- nixos-26.05-small 2.22.5
- nixpkgs-26.05-darwin 2.22.5

Ignored packages (3)

pkgs.n8n-nodes-carbonejs

n8n community node for rendering Word templates using Carbone.js

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-26.05 1.3.0
- nixos-26.05-small 1.3.0
- nixpkgs-26.05-darwin 1.3.0

pkgs.n8n-nodes-evolution-api

Evolution API hub for WhatsApp integration with n8n

nixos-unstable 1.0.4
- nixpkgs-unstable 1.0.4
- nixos-unstable-small 1.0.4
nixos-26.05 1.0.4
- nixos-26.05-small 1.0.4
- nixpkgs-26.05-darwin 1.0.4

pkgs.n8n-task-runner-launcher

Launcher for n8n task runners

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.6
- nixos-unstable-small 1.4.6
nixos-26.05 1.4.5
- nixos-26.05-small 1.4.5
- nixpkgs-26.05-darwin 1.4.5

Package maintainers

@sweenu sweenu <contact@sweenu.xyz>
@wrbbz Arsenii Zorin <me@wrb.bz>
@AdrienLemaire Adrien Lemaire <lemaire.adrien@gmail.com>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>

Published

Permalink CVE-2026-54306

6.3 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): Low (L)
Subsequent System Impact Integrity (SI): Low (L)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Low (L)
Modified Subsequent System Impact Integrity (MSI): Low (L)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 1 day, 1 hour ago by @LeSuisse Activity log

Created suggestion 1 day, 10 hours ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
1 day, 1 hour ago
@LeSuisse accepted 1 day, 1 hour ago
@LeSuisse published on GitHub 1 day, 1 hour ago

n8n: Prototype Pollution enables confused-deputy execution via public webhooks

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, a prototype pollution vulnerability allowed a crafted public webhook payload to inject attacker-controlled fields into workflow data during internal object copying. These fields could be surfaced and consumed as normal values by downstream built-in nodes. Where a workflow combines a public webhook with action nodes that consume the resulting fields, an attacker could cause the workflow to act as a confused deputy — targeting unintended records or issuing outbound requests using the workflow owner's configured credentials. This vulnerability is fixed in 2.25.7 and 2.26.2.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-2vff-hj5x-8gq7 x_refsource_CONFIRM

Affected products

n8n

==>= 2.26.0, < 2.26.2
==< 2.25.7

Matching in nixpkgs

pkgs.n8n

Free and source-available fair-code licensed workflow automation tool

nixos-unstable 2.20.6
- nixpkgs-unstable 2.23.4
- nixos-unstable-small 2.23.4
nixos-26.05 2.22.5
- nixos-26.05-small 2.22.5
- nixpkgs-26.05-darwin 2.22.5

Ignored packages (3)

pkgs.n8n-nodes-carbonejs

n8n community node for rendering Word templates using Carbone.js

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-26.05 1.3.0
- nixos-26.05-small 1.3.0
- nixpkgs-26.05-darwin 1.3.0

pkgs.n8n-nodes-evolution-api

Evolution API hub for WhatsApp integration with n8n

nixos-unstable 1.0.4
- nixpkgs-unstable 1.0.4
- nixos-unstable-small 1.0.4
nixos-26.05 1.0.4
- nixos-26.05-small 1.0.4
- nixpkgs-26.05-darwin 1.0.4

pkgs.n8n-task-runner-launcher

Launcher for n8n task runners

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.6
- nixos-unstable-small 1.4.6
nixos-26.05 1.4.5
- nixos-26.05-small 1.4.5
- nixpkgs-26.05-darwin 1.4.5

Package maintainers

@sweenu sweenu <contact@sweenu.xyz>
@wrbbz Arsenii Zorin <me@wrb.bz>
@AdrienLemaire Adrien Lemaire <lemaire.adrien@gmail.com>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>

Untriaged

Permalink CVE-2026-44791

9.4 CRITICAL

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): High (H)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): High (H)
Subsequent System Impact Integrity (SI): High (H)
Subsequent System Impact Availability (SA): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): High (H)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): High (H)
Modified Subsequent System Impact Integrity (MSI): High (H)
Modified Subsequent System Impact Availability (MSA): High (H)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 1 day, 1 hour ago by @LeSuisse Activity log

Created suggestion 1 day, 10 hours ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
1 day, 1 hour ago

n8n: XML Node Prototype Pollution Patch Bypass

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could bypass the patch for CVE-2026-42232 in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-wrwr-h859-xh2r x_refsource_CONFIRM

Affected products

n8n

==< 1.123.43
==>= 2.0.0-rc.0, < 2.20.7
==>= 2.21.0, < 2.21.1

Matching in nixpkgs

pkgs.n8n

Free and source-available fair-code licensed workflow automation tool

nixos-unstable 2.20.6
- nixpkgs-unstable 2.23.4
- nixos-unstable-small 2.23.4
nixos-26.05 2.22.5
- nixos-26.05-small 2.22.5
- nixpkgs-26.05-darwin 2.22.5

Ignored packages (3)

pkgs.n8n-nodes-carbonejs

n8n community node for rendering Word templates using Carbone.js

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-26.05 1.3.0
- nixos-26.05-small 1.3.0
- nixpkgs-26.05-darwin 1.3.0

pkgs.n8n-nodes-evolution-api

Evolution API hub for WhatsApp integration with n8n

nixos-unstable 1.0.4
- nixpkgs-unstable 1.0.4
- nixos-unstable-small 1.0.4
nixos-26.05 1.0.4
- nixos-26.05-small 1.0.4
- nixpkgs-26.05-darwin 1.0.4

pkgs.n8n-task-runner-launcher

Launcher for n8n task runners

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.6
- nixos-unstable-small 1.4.6
nixos-26.05 1.4.5
- nixos-26.05-small 1.4.5
- nixpkgs-26.05-darwin 1.4.5

Package maintainers

@sweenu sweenu <contact@sweenu.xyz>
@wrbbz Arsenii Zorin <me@wrb.bz>
@AdrienLemaire Adrien Lemaire <lemaire.adrien@gmail.com>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>

Untriaged

Permalink CVE-2026-49444

7.1 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 1 day, 10 hours ago Activity log

Created suggestion 1 day, 10 hours ago

n8n: Python sandbox escape

n8n is an open source workflow automation platform. Prior to 1.123.48, 2.21.8, and 2.22.4, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This vulnerability is fixed in 1.123.48, 2.21.8, and 2.22.4.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-9pq8-m8gp-4p53 x_refsource_CONFIRM

Affected products

n8n

==< 1.123.48
==>= 2.22.0, < 2.22.4
==>= 2.0.0-rc.0, < 2.21.8

Matching in nixpkgs

pkgs.n8n

Free and source-available fair-code licensed workflow automation tool

nixos-unstable 2.20.6
- nixpkgs-unstable 2.23.4
- nixos-unstable-small 2.23.4
nixos-26.05 2.22.5
- nixos-26.05-small 2.22.5
- nixpkgs-26.05-darwin 2.22.5

pkgs.n8n-nodes-carbonejs

n8n community node for rendering Word templates using Carbone.js

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-26.05 1.3.0
- nixos-26.05-small 1.3.0
- nixpkgs-26.05-darwin 1.3.0

pkgs.n8n-nodes-evolution-api

Evolution API hub for WhatsApp integration with n8n

nixos-unstable 1.0.4
- nixpkgs-unstable 1.0.4
- nixos-unstable-small 1.0.4
nixos-26.05 1.0.4
- nixos-26.05-small 1.0.4
- nixpkgs-26.05-darwin 1.0.4

pkgs.n8n-task-runner-launcher

Launcher for n8n task runners

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.6
- nixos-unstable-small 1.4.6
nixos-26.05 1.4.5
- nixos-26.05-small 1.4.5
- nixpkgs-26.05-darwin 1.4.5

Package maintainers

@sweenu sweenu <contact@sweenu.xyz>
@wrbbz Arsenii Zorin <me@wrb.bz>
@AdrienLemaire Adrien Lemaire <lemaire.adrien@gmail.com>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>
@vitorpavani Vitor Pavan <vipavani@hotmail.com>

Untriaged

Permalink CVE-2026-44789

9.4 CRITICAL

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): High (H)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): High (H)
Subsequent System Impact Integrity (SI): High (H)
Subsequent System Impact Availability (SA): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): High (H)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): High (H)
Modified Subsequent System Impact Integrity (MSI): High (H)
Modified Subsequent System Impact Availability (MSA): High (H)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 1 day, 10 hours ago Activity log

Created suggestion 1 day, 10 hours ago

n8n: HTTP Request Node Pagination Prototype Pollution to RCE

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-c8xv-5998-g76h x_refsource_CONFIRM

Affected products

n8n

==< 1.123.43
==>= 2.0.0-rc.0, < 2.20.7
==>= 2.21.0, < 2.21.1

Matching in nixpkgs

pkgs.n8n

Free and source-available fair-code licensed workflow automation tool

nixos-unstable 2.20.6
- nixpkgs-unstable 2.23.4
- nixos-unstable-small 2.23.4
nixos-26.05 2.22.5
- nixos-26.05-small 2.22.5
- nixpkgs-26.05-darwin 2.22.5

pkgs.n8n-nodes-carbonejs

n8n community node for rendering Word templates using Carbone.js

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-26.05 1.3.0
- nixos-26.05-small 1.3.0
- nixpkgs-26.05-darwin 1.3.0

pkgs.n8n-nodes-evolution-api

Evolution API hub for WhatsApp integration with n8n

nixos-unstable 1.0.4
- nixpkgs-unstable 1.0.4
- nixos-unstable-small 1.0.4
nixos-26.05 1.0.4
- nixos-26.05-small 1.0.4
- nixpkgs-26.05-darwin 1.0.4

pkgs.n8n-task-runner-launcher

Launcher for n8n task runners

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.6
- nixos-unstable-small 1.4.6
nixos-26.05 1.4.5
- nixos-26.05-small 1.4.5
- nixpkgs-26.05-darwin 1.4.5

Package maintainers

@sweenu sweenu <contact@sweenu.xyz>
@wrbbz Arsenii Zorin <me@wrb.bz>
@AdrienLemaire Adrien Lemaire <lemaire.adrien@gmail.com>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>
@vitorpavani Vitor Pavan <vipavani@hotmail.com>

Untriaged

Permalink CVE-2026-45732

8.3 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): High (H)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): High (H)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): High (H)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): High (H)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 1 day, 10 hours ago Activity log

Created suggestion 1 day, 10 hours ago

n8n: Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential with tokens bound to an external account they control. Workflows relying on the affected credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of shared integrations. This vulnerability is fixed in 1.123.43, 2.22.1, and 2.20.7.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-6h4j-wcr9-2vg7 x_refsource_CONFIRM

Affected products

n8n

==< 1.123.43
==>= 2.0.0-rc.0, < 2.20.7
==>= 2.21.0, < 2.21.1

Matching in nixpkgs

pkgs.n8n

Free and source-available fair-code licensed workflow automation tool

nixos-unstable 2.20.6
- nixpkgs-unstable 2.23.4
- nixos-unstable-small 2.23.4
nixos-26.05 2.22.5
- nixos-26.05-small 2.22.5
- nixpkgs-26.05-darwin 2.22.5

pkgs.n8n-nodes-carbonejs

n8n community node for rendering Word templates using Carbone.js

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-26.05 1.3.0
- nixos-26.05-small 1.3.0
- nixpkgs-26.05-darwin 1.3.0

pkgs.n8n-nodes-evolution-api

Evolution API hub for WhatsApp integration with n8n

nixos-unstable 1.0.4
- nixpkgs-unstable 1.0.4
- nixos-unstable-small 1.0.4
nixos-26.05 1.0.4
- nixos-26.05-small 1.0.4
- nixpkgs-26.05-darwin 1.0.4

pkgs.n8n-task-runner-launcher

Launcher for n8n task runners

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.6
- nixos-unstable-small 1.4.6
nixos-26.05 1.4.5
- nixos-26.05-small 1.4.5
- nixpkgs-26.05-darwin 1.4.5

Package maintainers

@sweenu sweenu <contact@sweenu.xyz>
@wrbbz Arsenii Zorin <me@wrb.bz>
@AdrienLemaire Adrien Lemaire <lemaire.adrien@gmail.com>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>
@vitorpavani Vitor Pavan <vipavani@hotmail.com>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.n8n

pkgs.n8n-nodes-carbonejs

pkgs.n8n-nodes-evolution-api

pkgs.n8n-task-runner-launcher

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.n8n

pkgs.n8n-nodes-carbonejs

pkgs.n8n-nodes-evolution-api

pkgs.n8n-task-runner-launcher

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.n8n

pkgs.n8n-nodes-carbonejs

pkgs.n8n-nodes-evolution-api

pkgs.n8n-task-runner-launcher

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.n8n

pkgs.n8n-nodes-carbonejs

pkgs.n8n-nodes-evolution-api

pkgs.n8n-task-runner-launcher

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.n8n

pkgs.n8n-nodes-carbonejs

pkgs.n8n-nodes-evolution-api

pkgs.n8n-task-runner-launcher

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.n8n

pkgs.n8n-nodes-carbonejs

pkgs.n8n-nodes-evolution-api

pkgs.n8n-task-runner-launcher

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.n8n

pkgs.n8n-nodes-carbonejs

pkgs.n8n-nodes-evolution-api

pkgs.n8n-task-runner-launcher

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.n8n

pkgs.n8n-nodes-carbonejs

pkgs.n8n-nodes-evolution-api

pkgs.n8n-task-runner-launcher

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.n8n

pkgs.n8n-nodes-carbonejs

pkgs.n8n-nodes-evolution-api

pkgs.n8n-task-runner-launcher

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.n8n

pkgs.n8n-nodes-carbonejs

pkgs.n8n-nodes-evolution-api

pkgs.n8n-task-runner-launcher