npm package
n8n
pkg:npm/n8n
Vulnerabilities (67)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-52554 | Med | 4.3 | < 1.99.1 | 1.99.1 | Jul 3, 2025 | n8n is a workflow automation platform. Prior to version 1.99.1, an authorization vulnerability was discovered in the /rest/executions/:id/stop endpoint of n8n. An authenticated user can stop workflow executions that they do not own or that have not been shared with them, leading | |
| CVE-2025-49595 | Med | 4.9 | < 1.99.0 | 1.99.0 | Jul 3, 2025 | n8n is a workflow automation platform. Prior to version 1.99.0, there is a denial of Service vulnerability in /rest/binary-data endpoint when processing empty filesystem URIs (filesystem:// or filesystem-v2://). This allows authenticated attackers to cause service unavailability | |
| CVE-2025-49592 | Med | 4.6 | < 1.98.0 | 1.98.0 | Jun 26, 2025 | n8n is a workflow automation platform. Versions prior to 1.98.0 have an Open Redirect vulnerability in the login flow. Authenticated users can be redirected to untrusted, attacker-controlled domains after logging in, by crafting malicious URLs with a misleading redirect query par | |
| CVE-2025-46343 | Med | 5.0 | < 1.90.0 | 1.90.0 | Apr 29, 2025 | n8n is a workflow automation platform. Prior to version 1.90.0, n8n is vulnerable to stored cross-site scripting (XSS) through the attachments view endpoint. n8n workflows can store and serve binary files, which are accessible to authenticated users. However, there is no restrict | |
| CVE-2023-27564 | Hig | 7.5 | < 0.216.1 | 0.216.1 | May 10, 2023 | The n8n package 0.218.0 for Node.js allows Information Disclosure. | |
| CVE-2023-27563 | Hig | 8.8 | < 0.216.1 | 0.216.1 | May 10, 2023 | The n8n package 0.218.0 for Node.js allows Escalation of Privileges. | |
| CVE-2023-27562 | Med | 6.5 | < 0.216.1 | 0.216.1 | May 10, 2023 | The n8n package 0.218.0 for Node.js allows Directory Traversal. |
- affected < 1.99.1fixed 1.99.1
n8n is a workflow automation platform. Prior to version 1.99.1, an authorization vulnerability was discovered in the /rest/executions/:id/stop endpoint of n8n. An authenticated user can stop workflow executions that they do not own or that have not been shared with them, leading
- affected < 1.99.0fixed 1.99.0
n8n is a workflow automation platform. Prior to version 1.99.0, there is a denial of Service vulnerability in /rest/binary-data endpoint when processing empty filesystem URIs (filesystem:// or filesystem-v2://). This allows authenticated attackers to cause service unavailability
- affected < 1.98.0fixed 1.98.0
n8n is a workflow automation platform. Versions prior to 1.98.0 have an Open Redirect vulnerability in the login flow. Authenticated users can be redirected to untrusted, attacker-controlled domains after logging in, by crafting malicious URLs with a misleading redirect query par
- affected < 1.90.0fixed 1.90.0
n8n is a workflow automation platform. Prior to version 1.90.0, n8n is vulnerable to stored cross-site scripting (XSS) through the attachments view endpoint. n8n workflows can store and serve binary files, which are accessible to authenticated users. However, there is no restrict
- affected < 0.216.1fixed 0.216.1
The n8n package 0.218.0 for Node.js allows Information Disclosure.
- affected < 0.216.1fixed 0.216.1
The n8n package 0.218.0 for Node.js allows Escalation of Privileges.
- affected < 0.216.1fixed 0.216.1
The n8n package 0.218.0 for Node.js allows Directory Traversal.
Page 4 of 4