Important Security Patch 25/02/2026 (update to 2.9.3)

umnz

Edit: The latest version has been published and is available for updating in Cloudron.

---

Hello team, I received this notice from n8n regarding an incoming update happening tomorrow. It specifically mentions self-hosted instances and it sounds like it may be quite a bad vulnerability. I just wanted to call this out in case you need to or want to notify your customer base.

Upcoming security advisories. Action required: update to latest patch version. 

We are preparing to release patches and security advisories this Wednesday, 25th of February, around midday CET, to address recently discovered high-or critical-severity security vulnerabilities in n8n.

We recommend that all self-hosted instances be patched to the latest patch version in their respective release branches as close to the planned release date as feasible.

Once the patches are released, we will inform you again and share details of the applicable patch versions and links to the published advisories. The information shared here is based on our current knowledge, and we will update you as soon as possible if our guidance changes.

Best regards,
The n8n Security Team

@girish @james

joseph

is this part of 2.9.2 ? https://github.com/n8n-io/n8n/releases/tag/n8n%402.9.2 ? Cloudron package is on latest as it stands.

umnz

It's patched in 2.9.3. Quite a few vulnerabilities actually. SQL Injection, SSO bypass, Chat auth bypass etc.

https://github.com/n8n-io/n8n/security/advisories/GHSA-jh8h-6c9q-7gmw

nebulon

The packag for n8n 2.9.3 is also already out by now.

umnz

@nebulon yep, I've updated my instances. I just wanted to make sure everyone was aware here because if you don't register your instance with n8n, they can't email you the security notices.

timconsidine