CVE-2026-27497: n8n has Potential Remote Code Execution via Merge Node

February 25, 2026 (updated February 27, 2026)

An authenticated user with permission to create or modify workflows could leverage the Merge node’s SQL query mode to execute arbitrary code and write arbitrary files on the n8n server.

References

github.com/advisories/GHSA-wxx7-mcgf-j869
github.com/n8n-io/n8n
github.com/n8n-io/n8n/releases/tag/n8n@1.123.22
github.com/n8n-io/n8n/releases/tag/n8n@2.10.1
github.com/n8n-io/n8n/releases/tag/n8n@2.9.3
github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869
nvd.nist.gov/vuln/detail/CVE-2026-27497

Code Behaviors & Features

Detect and mitigate CVE-2026-27497 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →