CVE-2026-33660: n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode

March 25, 2026

An authenticated user with permission to create or modify workflows could use the Merge node’s “Combine by SQL” mode to read local files on the n8n host and achieve remote code execution. The AlaSQL sandbox did not sufficiently restrict certain SQL statements, allowing an attacker to access sensitive files on the server or even compromise the intance.

References

github.com/advisories/GHSA-58qr-rcgv-642v
github.com/n8n-io/n8n
github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v
nvd.nist.gov/vuln/detail/CVE-2026-33660

Code Behaviors & Features

Detect and mitigate CVE-2026-33660 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →