n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition

Impact An authenticated user with the global:member role could exploit chained authorization flaws in n8n's credential pipeline to steal plaintext secrets from generic HTTP credentials httpBasicAuth, httpHeaderAuth, httpQueryAuth belonging to other users on the same instance. The attack abuses a...

PT-2026-28081

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.8.0 Description n8n is a workflow automation platform. When the N8N SKIP AUTH ON OAUTH CALLBACK environment variable is set to true, the OAuth callback handler does not verify the ownership of the OAuth state parameter...

PT-2026-28078

n8n is an open source workflow automation platform. Prior to versions 2.4.0 and 1.121.0, when LDAP authentication is enabled, n8n automatically linked an LDAP identity to an existing local account if the LDAP email attribute matched the local account's email. An authenticated LDAP user who could...

PT-2026-22036

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.10.1 n8n versions prior to 2.9.3 n8n versions prior to 1.123.22 Description n8n is a workflow automation platform susceptible to arbitrary script injection. An authenticated user with permission to create or modify...

PT-2026-22029

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.10.1 n8n versions prior to 2.9.3 n8n versions prior to 1.123.22 Description An authenticated user with permission to create or modify workflows could exploit the Python Code node to escape the sandbox. The sandbox did n...

PT-2026-22034

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.10.1 n8n versions prior to 2.9.3 n8n versions prior to 1.123.22 Description n8n is an open source workflow automation platform. An authenticated user with permission to create or modify workflows could leverage the Merg...

Vulnerability fixed in FortiSwitch

Fortinet has fixed a vulnerability in the FortiSwitch GUI. The vulnerability with reference CVE-2024-48887, is located in the FortiSwitch GUI, which allows a remote, unauthenticated malicious person to change admin passwords via specially crafted requests. This security issue can lead to...

PT-2024-35154 · Libosdp · Libosdp

Name of the Vulnerable Software and Affected Versions: libosdp versions prior to 3.0.0 Description: The issue allows an attacker with MITM access to the communication to intercept and save the original RMAC I reply. The attacker can then record all replies and save them until capturing the messag...

F5 Bug Could Lead to Complete System Takeover

Application delivery and networking firm F5 released a baker’s dozen of 13 fixes for high-severity bugs, including one that could lead to complete system takeover and hence is boosted to “critical” for customers that run BIG-IP in Appliance Mode, given that an attacker that holds valid credential...

WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations

If Pulse Connect Secure gateway is part of your organization network, you need to be aware of a newly discovered critical zero-day authentication bypass vulnerability CVE-2021-22893 that is currently being exploited in the wild and for which there is no patch available yet. At least two threat...

Moxa MiiNePort Devices Leak Data, Open to Unauthorized Access

Embedded device servers made by Moxa remain vulnerable to a trio of vulnerabilities disclosed today in an advisory published by the Industrial Control Systems Cyber Emergency Response Team ICS-CERT and a blog post by researcher Karn Ganeshen. Moxa, which is based in Taiwan, will publish a beta...

Moxa Won't Patch Publicly Disclosed Flaws Until August

Update A number of publicly disclosed vulnerabilities in Moxa networking gear won’t be patched until August, if at all, according to an alert published on Friday by the Industrial Control System Cyber Emergency Response Team ICS-CERT. Researcher Joakim Kennedy of Rapid7 disclosed in March some...

Microsoft to Fix Broken Patch Tuesday Security Update

Microsoft is still hammering away at a fix for a security update released last week that caused a small number of computers to crash and blue screen. “We are aware of some issues related to the recent updates and we are working on a fix,” a Microsoft representative today told Threatpost. MS14-045...