Important Security Patch: 2.13.3 and 1.123.27

umnz

Just a warning to those who follow this forum, make sure you update.

"Action required: update to the latest patch version of n8n

We recently informed you about upcoming patches and security advisories for high- or critical-severity security vulnerabilities in n8n.

These vulnerabilities have been fixed in the following n8n versions:

1.x: Versions < 1.123.27 are patched in 1.123.27
Stable: Versions >= 2.0.0 < 2.13.3 are patched in 2.13.3
Beta: Versions >= 2.14.0 < 2.14.1 are patched in 2.14.1
If you are running a version below the fixed version for your release branch, please upgrade to the applicable fixed version (or later) as soon as possible to protect your instance. For guidance on how to update your self-hosted instance, please refer to our updating documentation.

The related security advisories have been published. You can find links to the advisories below:

Critical | RCE via SQL Mode of Merge Node (CVE-2026-33660)
Critical | Prototype Pollution in GSuiteAdmin node parameters leads to RCE (CVE-2026-33696)
High | Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition (CVE-2026-33663)
High | In-Process Memory Disclosure in Task Runner (CVE-2026-27496)
High | LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover (CVE-2026-33665)
High | SQL Injection in Data Table Node via orderByColumn Expression (CVE-2026-33713)
High | External Secrets Authorization Bypass in Credential Saving (CVE-2026-33722)
The information shared here is based on our current knowledge, and we will update you as soon as possible if our guidance changes.

Best regards,
The n8n Security Team"

nebulon

the new patched version of n8n is packaged and released by now.

umnz

Glad to hear it! Thanks @nebulon.