CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

n8n security advisory (AV26-628)

unknown
Serial number: AV26-628 Date: June 24, 2026 On June 24, 2026, n8n published security advisories to address vulnerabilities in the following product: n8n – versions prior to 2.28.1 n8n – versions prior to 2.27.4 n8n – versions prior to 1.123.61 The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary update. "Allowed HTTP Request Domains" Restriction Bypass via AI Agents MCP Connector Prototype Pollution via Workflow Credentials Leads to Unauthenticated User and Project Enumeration Cross-Issuer Token Exchange Account Binding via Subject-Only Identity Resolution Shared Credential Header Leak via HTTP Request Pagination Expression n8n Security

CSIRTS triage

vendor: n8nproduct: n8nOtheraffected: prior to 2.28.1, 2.27.4, and 1.123.61
What
Vulnerabilities include restriction bypass and credential leaks.
Who is affected
Users of n8n prior to specified versions.
Urgency
Remediation is necessary to prevent unauthorized access and data leaks.
Action
Upgrade to n8n versions 2.28.1, 2.27.4, or 1.123.61.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch n8n

Get an email when a new n8n advisory drops — max one per day, one-click unsubscribe.

Details

Source
Canadian Centre for Cyber Security (CA · national-cert · site)
Severity
unknown
Published
2026-06-24
Exploitation
Not in CISA KEV at last sync

Original advisory: https://cyber.gc.ca/en/alerts-advisories/n8n-security-advisory-av26-628

More from Canadian Centre for Cyber Security