CVE-2026-33660

CVE-2026-33660 is a high-severity vulnerability (CVSS 8.8) affecting n8n, an open-source workflow automation platform, in versions prior to 2.14.1, 2.13.3, and 1.123.26. The flaw stems from insufficient sandboxing in the AlaSQL library used by the Merge node's "Combine by SQL" mode (CWE-94: Improper Control of Generation of Code, CWE-89: Improper Neutralization of Special Elements used in an SQL Command). This allows authenticated users with permissions to create or modify workflows to craft SQL statements that bypass restrictions, enabling arbitrary local file reads on the n8n host and potentially leading to remote code execution.

An attacker requires low-privilege network access as an authenticated user (PR:L) with workflow creation or modification rights, making exploitation straightforward with no user interaction needed (AC:L, UI:N). Successful attacks can result in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), such as exfiltrating sensitive server files or fully compromising the n8n instance through RCE, without scope changes (S:U).

The n8n security advisory recommends upgrading to versions 2.14.1, 2.13.3, or 1.123.26 or later for full remediation. As temporary measures, administrators should restrict workflow creation and editing to fully trusted users only and/or disable the Merge node by setting the `NODES_EXCLUDE` environment variable to include `n8n-nodes-base.merge`. These workarounds are not comprehensive and serve only as short-term protections. Details are available in the advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v.