Security Flaw in n8n Workflow Automation Platform
CVE-2026-33749

6.3MEDIUM

Key Information:

Vendor: N8n-io
Status: N8n
Vendor: CVE Published:; 25 March 2026

What is CVE-2026-33749?

The n8n workflow automation platform has a security vulnerability that allows an authenticated user to create an unsafe workflow. This vulnerability arises when an attacker can craft a workflow that produces an HTML binary data object without a filename, which is served inline without proper security headers like 'Content-Disposition' and 'Content-Security-Policy'. This lack of protection allows malicious JavaScript to be executed in the context of a victim's session, potentially leading to the exfiltration of sensitive data, unauthorized modifications of workflows, and privilege escalation to admin-level access. To protect against this issue, users are urged to upgrade to n8n versions 1.123.27, 2.13.3, or 2.14.1. Until an upgrade is feasible, limiting permissions for workflow creation and editing to trusted users and restricting network access to the n8n instance are advised as temporary mitigation measures.

Affected Version(s)

n8n < 1.123.27 < 1.123.27

n8n >= 2.0.0-rc.0, < 2.13.3 < 2.0.0-rc.0, 2.13.3

n8n = 2.14.0 = 2.14.0

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-qf...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33749 Data

JSON

N8n-io

What is CVE-2026-33749?

Affected Version(s)

References

CVSS V4

Timeline