CVE-2026-33749 — CRITICAL (CVSS 9.0)

Q: Is CVE-2026-33749 actively exploited?

No confirmed active exploitation of CVE-2026-33749 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-33749?

1. PATCH: Upgrade to n8n 1.123.27, 2.13.3, or 2.14.1 immediately — this is the only full remediation. 2. RESTRICT (if patching delayed): Revoke workflow creation/edit permissions from all non-essential users via n8n RBAC; treat it as a break-glass scenario. 3. ROTATE: Rotate all API credentials stored in n8n (LLM API keys, DB passwords, cloud tokens, webhook secrets) if you cannot confirm no exploitation occurred. 4. DETECT: Audit n8n access logs for unusual requests to /rest/binary-data and admin endpoint calls from non-admin sessions. 5. NETWORK: If hosting n8n, restrict access to internal networks only and block unauthenticated external access to the instance. 6. MONITOR: Alert on admin privilege escalation events and bulk workflow reads post-incident.

Q: What systems are affected by CVE-2026-33749?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation platforms, AI integration pipelines, LLM orchestration layers, multi-tool AI agents.

Q: What is the CVSS score for CVE-2026-33749?

CVE-2026-33749 has a CVSS v3.1 base score of 9.0 (CRITICAL). The EPSS exploitation probability is 0.04%.

CISO Take

If your teams use n8n for AI agent automation or integration workflows, patch immediately to 1.123.27, 2.13.3, or 2.14.1 — n8n stores API keys and credentials for every integration, and this vulnerability hands all of them to an attacker via a single crafted URL sent to an admin. Until patched, restrict workflow creation/edit permissions to fully trusted users only, as any authenticated user with edit rights is a potential attacker. The blast radius is total: credentials, workflow logic, and admin access are all at stake.

What is the risk?

High operational risk for AI teams despite moderate EPSS (0.00038). CVSS 9.0 reflects the C:H/I:H/A:H scope-changed impact accurately. n8n is the de facto 'glue' for AI agent pipelines — it holds API keys for LLM providers, databases, SaaS tools, and cloud services. Privilege escalation to admin via a single phishing URL makes this a full platform compromise. Exploitation requires only a low-privilege authenticated account, making insider threat and compromised-account scenarios highly plausible. The attack requires user interaction (victim clicks URL), which is the main friction point.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.27	`1.123.27`
187.3K OpenSSF 6.1 16 dependents Pushed 5d ago 43% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

9.0 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 13% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI Required

S Changed

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade to n8n 1.123.27, 2.13.3, or 2.14.1 immediately — this is the only full remediation.
RESTRICT (if patching delayed): Revoke workflow creation/edit permissions from all non-essential users via n8n RBAC; treat it as a break-glass scenario.
ROTATE

Rotate all API credentials stored in n8n (LLM API keys, DB passwords, cloud tokens, webhook secrets) if you cannot confirm no exploitation occurred.
DETECT

Audit n8n access logs for unusual requests to /rest/binary-data and admin endpoint calls from non-admin sessions.
NETWORK

If hosting n8n, restrict access to internal networks only and block unauthenticated external access to the instance.
MONITOR

Alert on admin privilege escalation events and bulk workflow reads post-incident.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Code Execution Agent Framework API AML.T0011.003 - Malicious Link AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Access control for AI systems A.9.3 - Protection of AI system information

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms are in place to inventory AI systems and their outputs

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-33749?

If your teams use n8n for AI agent automation or integration workflows, patch immediately to 1.123.27, 2.13.3, or 2.14.1 — n8n stores API keys and credentials for every integration, and this vulnerability hands all of them to an attacker via a single crafted URL sent to an admin. Until patched, restrict workflow creation/edit permissions to fully trusted users only, as any authenticated user with edit rights is a potential attacker. The blast radius is total: credentials, workflow logic, and admin access are all at stake.

Is CVE-2026-33749 actively exploited?

No confirmed active exploitation of CVE-2026-33749 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33749?

1. PATCH: Upgrade to n8n 1.123.27, 2.13.3, or 2.14.1 immediately — this is the only full remediation. 2. RESTRICT (if patching delayed): Revoke workflow creation/edit permissions from all non-essential users via n8n RBAC; treat it as a break-glass scenario. 3. ROTATE: Rotate all API credentials stored in n8n (LLM API keys, DB passwords, cloud tokens, webhook secrets) if you cannot confirm no exploitation occurred. 4. DETECT: Audit n8n access logs for unusual requests to /rest/binary-data and admin endpoint calls from non-admin sessions. 5. NETWORK: If hosting n8n, restrict access to internal networks only and block unauthenticated external access to the instance. 6. MONITOR: Alert on admin privilege escalation events and bulk workflow reads post-incident.

What systems are affected by CVE-2026-33749?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation platforms, AI integration pipelines, LLM orchestration layers, multi-tool AI agents.

What is the CVSS score for CVE-2026-33749?

CVE-2026-33749 has a CVSS v3.1 base score of 9.0 (CRITICAL). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, an authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The `/rest/binary-data` endpoint served such responses inline on the n8n origin without `Content-Disposition` or `Content-Security-Policy` headers, allowing the HTML to render in the browser with full same-origin JavaScript access. By sending the resulting URL to a higher-privileged user, an attacker could execute JavaScript in the victim's authenticated session, enabling exfiltration of workflows and credentials, modification of workflows, or privilege escalation to admin. The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or restrict network access to the n8n instance to prevent untrusted users from accessing binary data URLs. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a low-privilege n8n account (e.g., a contractor, junior dev, or compromised service account) crafts a workflow that generates an HTML payload as a binary output object with no filename. The /rest/binary-data endpoint serves this HTML inline with no Content-Disposition or CSP headers, so the browser renders it as live HTML on the n8n origin. The attacker copies the resulting URL and sends it via Slack/email to an n8n admin ('hey, this workflow output looks broken, can you check?'). When the admin opens the URL in their authenticated browser session, the JavaScript executes with full same-origin access — silently POSTing all stored credentials and workflow definitions to an attacker-controlled endpoint, then creating a backdoor admin account. The admin sees a blank page or error and thinks nothing of it.