NCSC-2026-0212 [1.00] [M/H] Vulnerabilities fixed in n8n workflow automation platform
n8n has fixed multiple vulnerabilities in the n8n workflow automation platform, specifically in versions prior to 1.123.55, 2.24.0, 2.25.7, 2.26.1, and 2.26.2. The vulnerabilities affect various components of the n8n platform. Authenticated users with workflow editing rights can bypass Content-Security-Policy (CSP) via the Respond to Webhook node and inject JavaScript via the Chat Trigger node. Furthermore, they can exfiltrate API tokens via the SecurityScorecard node and access, overwrite, or revoke credentials of other users via the Dynamic Credentials feature. Users with editor access to shared workflows can view others' credentials due to insufficient ownership checks. Unauthenticated attackers can submit false payloads via the MicrosoftAgent365Trigger and StripeTrigger nodes, leading to the execution of workflows with malicious data.
CSIRTS triage
- What
- Authenticated users can bypass security policies and exfiltrate sensitive data through various nodes.
- Who is affected
- Authenticated users with workflow editing rights in n8n versions prior to the specified versions.
- Urgency
- Remediation is urgent due to the risk of data exfiltration and unauthorized access to credentials.
- Action
- Upgrade to the specified versions of n8n to address these vulnerabilities.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch n8n
Get an email when a new n8n advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0212
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-543010.22% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 12% of all scored CVEs.
- Low exploitation riskCVE-2026-543020.21% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 11% of all scored CVEs.
- Low exploitation riskCVE-2026-543040.35% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 27% of all scored CVEs.
- Low exploitation riskCVE-2026-543050.34% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 26% of all scored CVEs.
- Low exploitation riskCVE-2026-543060.26% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 17% of all scored CVEs.
- Low exploitation riskCVE-2026-543070.32% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 23% of all scored CVEs.
- Low exploitation riskCVE-2026-543080.28% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 19% of all scored CVEs.
- Low exploitation riskCVE-2026-543090.40% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 32% of all scored CVEs.
- Low exploitation riskCVE-2026-543100.39% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 31% of all scored CVEs.
- Low exploitation riskCVE-2026-543110.32% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 23% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-54301 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-54302 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-54304 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-54305 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-54306 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-54307 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-54308 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-54309 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-54310 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-54311 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-54312 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-54313 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-54314 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-54303 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
Recent advisories for n8n workflow automation
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownCVE-2026-59209: n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an…nvd · 2026-07-09
- mediumCVE-2026-59208: n8n is an open source workflow automation platform. Prior to 2.27.4 and from 2.28.0 prior to 2…nvd · 2026-07-09
- mediumCVE-2026-59207: n8n is an open source workflow automation platform. Prior to 2.27.4 and 2.28.1, the AI Agents …nvd · 2026-07-09
- highCVE-2026-59206: n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an…nvd · 2026-07-09
More from NCSC-NL Advisories
- unknownNCSC-2026-0223 [1.00] [M/H] Vulnerabilities fixed in BeyondTrust Remote Support and Privileged Remote Access2026-07-10
- unknownNCSC-2026-0222 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition and Community Edition2026-07-10
- unknownNCSC-2026-0221 [1.00] [M/H] Vulnerabilities fixed in UniFi products from Ubiquiti Networks2026-07-07
- unknownNCSC-2026-0220 [1.00] [M/H] Vulnerabilities fixed in Rancher by Rancher Labs2026-07-03
- unknownNCSC-2026-0219 [1.00] [M/H] Vulnerabilities fixed in GitHub Enterprise Server2026-07-03