CVE-2026-33660

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.14.1 n8n versions prior to 2.13.3 n8n versions prior to 1.123.26

Description n8n is a workflow automation platform. A user authenticated with permissions to create or modify workflows could leverage the "Combine by SQL" mode within the Merge node to read local files on the n8n host and potentially achieve remote code execution. The AlaSQL sandbox lacked sufficient restrictions on certain SQL statements, enabling an attacker to access sensitive files on the server or compromise the instance. The vulnerable component is the Merge node and its use of AlaSQL.

Recommendations Upgrade to n8n version 2.14.1 or later. Upgrade to n8n version 2.13.3 or later. Upgrade to n8n version 1.123.26 or later. If upgrading is not immediately possible, limit workflow creation and editing permissions to fully trusted users only. If upgrading is not immediately possible, disable the Merge node by adding n8n-nodes-base.merge to the NODES EXCLUDE environment variable.