Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
A vulnerability in n8n (a workflow automation tool) allows authenticated users to exploit the XML Node through prototype pollution (a technique where an attacker modifies object properties that affect all instances of that object type) to achieve RCE (remote code execution, where attackers can run arbitrary commands on the system). This is particularly dangerous because it affects users with permission to create or edit workflows.
Fix: The vulnerability has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1 or later. If immediate upgrade is not possible, administrators can temporarily: (1) Limit workflow creation and editing permissions to fully trusted users only, or (2) Disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and are only short-term measures.
GitHub Advisory Databasen8n had a vulnerability in its XML webhook parser caused by the `xml2js` library that allowed prototype pollution (a type of attack where an attacker modifies a JavaScript object's base properties to affect all objects). An authenticated user with workflow creation permissions could exploit this flaw and combine it with the Git node's SSH operations to achieve RCE (remote code execution, where an attacker runs commands on a system they don't own).
n8n (a workflow automation tool) has a vulnerability where an attacker could inject malicious code through a fake OAuth client name, causing it to run in a victim's browser when they revoke access. This XSS (cross-site scripting, injecting malicious code into a webpage) attack could let attackers steal login credentials, take over sessions, or modify workflows.
n8n (a workflow automation tool) had a security flaw where authenticated users could steal API keys belonging to other users by exploiting the `dynamic-node-parameters` endpoints (parts of the system that handle credential references). An attacker with access to a shared workflow could submit another user's credential ID and trick the backend into sending that credential to a server the attacker controls, allowing them to capture and reuse the stolen API key.
n8n (a workflow automation tool) has a vulnerability where authenticated users who can create or modify workflows can escape the sandbox (an isolated environment meant to restrict code execution) and run arbitrary code on the task runner container, but only if the Python Task Runner feature is enabled.
n8n, a workflow automation tool, had a security flaw where authenticated users with an API key could read variables (data storage containers) from projects they shouldn't have access to by manipulating a query parameter, potentially exposing secrets like passwords or tokens. This vulnerability only affected enterprise or team deployments with multiple projects enabled.
n8n has a vulnerability where an unauthenticated attacker can crash an n8n instance (a workflow automation tool) by sending large amounts of data to the MCP OAuth client registration endpoint (the system that lets external applications connect to n8n). The endpoint doesn't properly limit how much data it accepts or how many clients can register, allowing attackers to use up all the server's memory and make it unavailable.
n8n's Chat Trigger feature had a security flaw where the `/chat` WebSocket endpoint (a communication channel) didn't check if users were authorized to access workflow executions. An attacker who could guess a valid execution ID (a unique identifier for a running workflow instance) could connect to an unprotected chat workflow, intercept prompts meant for legitimate users, and inject their own commands to change how the workflow behaves.
A SQL injection (inserting malicious code into database queries) flaw in n8n's SeaTable node allowed attackers to manipulate search and row retrieval operations when user-controlled input was passed into the node without proper safeguards, potentially exposing unintended database rows. The vulnerability required a specific workflow setup where external input from sources like forms or webhooks was directly used in search parameters.
n8n has a vulnerability where its OAuth consent flow allows attackers to register fake redirect URLs (destinations where users are sent after denying permission) without authentication. An attacker can trick a user into clicking a malicious link, and when the user clicks "Deny" on the consent dialog, they get redirected to the attacker's website instead of staying safe. This could be used for phishing (tricking users into giving up sensitive information).
n8n, a workflow automation tool, had a SQL injection vulnerability (a type of attack where malicious SQL commands are inserted into input fields) in its Oracle Database node. The flaw allowed attackers to inject arbitrary SQL commands through the `Limit` field when external user input was used, potentially letting them steal data from the connected Oracle database.
The OneCollector exporter (a tool that sends telemetry data, which is information about how a program is running, to a backend server) has a flaw where it reads error responses from failed HTTP requests without limiting how much data it accepts. If an attacker controls the backend server or intercepts the connection, they can send an extremely large response that exhausts the application's memory and crashes it (a denial-of-service attack, where a system is made unavailable).
OpenTelemetry.Resources.Azure has a vulnerability where it reads unlimited amounts of data from Azure VM metadata service responses into memory, allowing an attacker to cause the application to crash by sending extremely large responses (a denial of service attack where the system runs out of memory). This affects applications using the Azure VM resource detector that connect to a compromised or intercepted metadata endpoint.
Ollama for Windows has a remote code execution vulnerability (the ability for an attacker to run commands on your computer) in its update system. The vulnerability happens because the application builds file paths using information from HTTP headers without checking if they're legitimate, allowing attackers to use path traversal sequences (like ../ to navigate directories) to write malicious executable files to dangerous locations like the Windows Startup folder. When combined with a missing signature verification flaw, an attacker can automatically execute malicious code without the user knowing.
Ollama for Windows has a vulnerability (CVE-2026-42248) where it does not verify that downloaded updates are authentic and haven't been tampered with before installing them. Because Ollama automatically installs updates without asking the user, an attacker could trick the software into downloading and running malicious code without the user knowing.
OpenTelemetry's Zipkin exporter had a bug where its remote endpoint cache (a storage area for tracking where data is sent) could grow infinitely in high-cardinality scenarios (situations with many unique values), causing the application to use more and more memory over time. This could make the application slower or crash.
CVE-2026-40979 is a security flaw in Spring AI (a framework for building AI applications) where someone with access to a shared computing environment can find and view the ONNX model (a type of machine learning model file) that the application uses. This vulnerability affects Spring AI versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4.
A path traversal vulnerability (a bug where an attacker manipulates file paths to access files they shouldn't) was found in the ErlichLiu claude-agent-sdk, affecting a file called app/api/agent-output/route.ts. An attacker can exploit this remotely by manipulating the outputFile parameter, and the vulnerability has already been publicly disclosed. The project uses continuous updates but has not yet responded to the security report.
A vulnerability (CVE-2026-7178) was found in ChatGPTNextWeb NextChat up to version 2.16.1 that allows server-side request forgery (SSRF, where an attacker tricks a server into making unwanted requests to other systems) through the storeUrl function in the Artifacts Endpoint. The flaw can be exploited remotely, and the attack code has been made public, though the project developers have not yet responded to the early notification.
A security flaw has been found in ChatGPTNextWeb NextChat up to version 2.16.1 that allows server-side request forgery (SSRF, where an attacker tricks a server into making unwanted requests to other systems). The vulnerability exists in the proxyHandler function and can be exploited remotely, with public exploits already available. The developers have been notified but have not yet responded.
Fix: The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators should limit workflow creation and editing permissions to fully trusted users only, though this is only a temporary mitigation and does not fully remediate the risk.
GitHub Advisory DatabaseFix: This issue has been fixed in n8n version 2.14.2. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should restrict access to the n8n instance and the MCP OAuth registration endpoint to trusted users only, or disable MCP server functionality if not actively required. However, the source notes these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n version 2.18.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should restrict n8n access to fully trusted users only and avoid sharing workflows with users who should not have access to the credentials those workflows reference. The source notes these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later. As temporary workarounds if upgrading is not immediately possible, administrators can limit workflow creation and editing permissions to fully trusted users only, or disable the Python Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable, or disable the Python Task Runner entirely. However, the source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should restrict n8n access and API key issuance to fully trusted users only, and audit existing project variables for sensitive values and rotate any secrets that may have been exposed (though these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures).
GitHub Advisory DatabaseFix: Upgrade to n8n version 1.123.32, 2.17.4, 2.18.1, or later. If immediate upgrade is not possible, administrators can temporarily: (1) restrict network access to the n8n instance to prevent requests from untrusted sources, or (2) reduce the maximum accepted payload size by lowering the `N8N_PAYLOAD_SIZE_MAX` environment variable from its default value. The source notes these workarounds do not fully fix the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later. As a temporary workaround, administrators can enable authentication on all Chat Trigger nodes by setting the Authentication field to `n8n User Auth` rather than `None`, though this does not fully eliminate the risk.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, temporary mitigations include: restricting workflow creation and editing permissions to trusted users only; disabling the SeaTable node by adding `n8n-nodes-base.seaTable` to the `NODES_EXCLUDE` environment variable; and avoiding unvalidated external user input in SeaTable node parameters.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can restrict network access to the n8n instance to prevent untrusted users from reaching the MCP OAuth endpoints, or limit access to the n8n instance to fully trusted users only. However, the source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, temporary mitigations include: limiting workflow creation and editing permissions to fully trusted users only, disabling the Oracle Database node by adding `n8n-nodes-base.oracleDatabase` to the `NODES_EXCLUDE` environment variable, and avoiding passing unvalidated external user input into the Oracle Database node's `Limit` field via expressions. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: Update to the version with PR #4117 applied, which limits the number of bytes read from error response bodies to 4MiB (megabytes). Additionally, use network-level controls like firewall rules, mTLS (mutual TLS, a security protocol for encrypting connections), or a service mesh to prevent Man-in-the-Middle attacks on the configured backend/collector endpoint.
GitHub Advisory DatabaseFix: Fixed in OpenTelemetry.Resources.Azure version 1.15.0-beta.2. The fix introduces limits to HttpClient requests so that response bodies are streamed rather than loaded entirely into memory, with responses greater than 4 MiB being ignored. As workarounds, you can disable the Azure VM resource detector or use network-level controls (firewall rules, mTLS, or service mesh) to prevent Man-in-the-Middle attacks on the Azure VM instance metadata endpoint.
GitHub Advisory DatabaseFix: Introduce a bounded, thread-safe LRU cache (a cache that automatically removes the least recently used items when full) for remote endpoints and enforce a fixed maximum size to prevent unbounded growth. See PR #7081 in the opentelemetry-dotnet repository for the fix.
GitHub Advisory DatabaseFix: Fixed in Spring AI version 1.0.6 and version 1.1.5.
NVD/CVE Database