n8n security advisory (AV26-628)
Serial number: AV26-628 Date: June 24, 2026 On June 24, 2026, n8n published security advisories to address vulnerabilities in the following product: n8n – versions prior to 2.28.1 n8n – versions prior to 2.27.4 n8n – versions prior to 1.123.61 The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary update. "Allowed HTTP Request Domains" Restriction Bypass via AI Agents MCP Connector Prototype Pollution via Workflow Credentials Leads to Unauthenticated User and Project Enumeration Cross-Issuer Token Exchange Account Binding via Subject-Only Identity Resolution Shared Credential Header Leak via HTTP Request Pagination Expression n8n Security
CSIRTS triage
- What
- Vulnerabilities include restriction bypass and credential leaks.
- Who is affected
- Users of n8n prior to specified versions.
- Urgency
- Remediation is necessary to prevent unauthorized access and data leaks.
- Action
- Upgrade to n8n versions 2.28.1, 2.27.4, or 1.123.61.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch n8n
Get an email when a new n8n advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://cyber.gc.ca/en/alerts-advisories/n8n-security-advisory-av26-628
More from Canadian Centre for Cyber Security
- unknownBitWarden security advisory (AV26-683)2026-07-10
- criticalAL25-007 - Vulnerability impacting Roundcube Webmail – CVE-2025-49113 – Update 12026-07-10
- unknownMicrosoft Edge security advisory (AV26-682)2026-07-10
- criticalBroadcom VMware security advisory (AV26-681)2026-07-10
- unknownDjango security advisory (AV26-084) – Update 12026-07-09