Action required: Security vulnerability in n8n — please upgrade

Jon · February 24, 2023, 4:45pm

We have just released [email protected] which contains important security fixes.

In addition, this release fixes a migration that could potentially rewire workflows containing nodes with multiple outputs (Switch, If and Compare Records) if the first node output is not connected to another node.

To protect your n8n instances and avoid the above migration, we recommend that you upgrade to [email protected], [email protected] or later as soon as possible.

If you have previously upgraded to any version of n8n between 0.214.3 and 0.216.1, we recommend that you review your workflows before running them. You can run Get workflows affected by 0.214.3 migration | n8n workflow template to identify workflows that might be affected.

d4vidsha · February 25, 2023, 3:23am

Does this mean that there should generally be no problems for multi-output nodes that have the first output (the top-most branch) connected?

Jon · February 25, 2023, 8:15am

In theory yeah, it is worth running the workflow to see what might be impacted though

Jon · February 27, 2023, 6:03am

Hey @koyto,

Could you open a new thread and complete the template as the issue is not directly related to the issue here and I don’t want to cause any confusion.

jhambach · February 28, 2023, 3:08am

Probably a dumb question, but I am on 0.214.2. Do I need to be aware of problems with the Switch / If / Compare Records if I upgrade to the latest?

C7s · February 28, 2023, 5:37pm

@jhambach, upgrading from <=0.214.2 to >=0.214.4 should be safe.

Jon · March 1, 2023, 5:27am

Hey @jhambach,

You should be all good, the change that causes the issue was introduced in 0.214.3.

Of course after any upgrade it is worth testing your workflows just to make sure everything is all good.

luison · March 1, 2023, 5:32pm

Has anything regarding basic_auth changed in latest versions?

Since I applied this upgrade (216.2 first and 217.1 after) we now get an initial http auth logging but then another n8n user login screen.

Is this now mandatory?
What is the default password in that case as we never configured smtp or the users email on our self-hosted n8n?
Can we maintain just http auth + our own proxy ip whitelist?

Jon · March 1, 2023, 5:42pm

Hey @luison,

Do you have the user management feature disabled? There is no default password for it so if you are seeing a username and password prompt instead of the setup it would suggest either someone has set it up or there is a bug introduced that we are not aware of.

I would suggest opening a new topic and completing the template so we can find out more about your environment and see if we can work out where the issue is.

luison · March 1, 2023, 5:48pm

Hi @Jon, thanks for prompt reply.
No we have not changed anything and always been using basic_auth by using env vars for:

N8N_BASIC_AUTH_ACTIVE
and user and password

but now do get the n8n login after filling that up. We have no smtp or other related auth flag on our settings.

sirdavidoff · March 14, 2023, 8:55am