{"data":{"id":"81fe2c80-15e9-4bfc-ae1d-4422705d339c","title":"GHSA-58qr-rcgv-642v: n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode","summary":"n8n, a workflow automation tool, has a security flaw in its Merge node's SQL mode that allows authenticated users to read files from the server and execute arbitrary code (remote code execution, where an attacker can run commands on a system they don't own). The vulnerability exists because the AlaSQL sandbox (a restricted environment meant to safely run SQL code) did not properly block certain dangerous SQL statements.","solution":"The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can: (1) limit workflow creation and editing permissions to fully trusted users only, or (2) disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. Note: these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-58qr-rcgv-642v","publishedAt":"2026-03-25T21:07:45.000Z","cveId":"CVE-2026-33660","cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["n8n@< 1.123.27 (fixed: 1.123.27)","n8n@>= 2.0.0-rc.0, < 2.13.3 (fixed: 2.13.3)","n8n@= 2.14.0 (fixed: 2.14.1)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["n8n"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-03-25T21:07:45.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0010"]}}