Action required: Security vulnerability in n8n β€” please upgrade

We have just released [email protected] which contains important security fixes.

In addition, this release fixes a migration that could potentially rewire workflows containing nodes with multiple outputs (Switch, If and Compare Records) if the first node output is not connected to another node.

To protect your n8n instances and avoid the above migration, we recommend that you upgrade to [email protected], [email protected] or later as soon as possible.

If you have previously upgraded to any version of n8n between 0.214.3 and 0.216.1, we recommend that you review your workflows before running them. You can run Get workflows affected by 0.214.3 migration | n8n workflow template to identify workflows that might be affected.


Does this mean that there should generally be no problems for multi-output nodes that have the first output (the top-most branch) connected?

In theory yeah, it is worth running the workflow to see what might be impacted though :slightly_smiling_face:

1 Like

Hey @koyto,

Could you open a new thread and complete the template as the issue is not directly related to the issue here and I don’t want to cause any confusion.

1 Like

Probably a dumb question, but I am on 0.214.2. Do I need to be aware of problems with the Switch / If / Compare Records if I upgrade to the latest?

@jhambach, upgrading from <=0.214.2 to >=0.214.4 should be safe.

1 Like

Hey @jhambach,

You should be all good, the change that causes the issue was introduced in 0.214.3.

Of course after any upgrade it is worth testing your workflows just to make sure everything is all good.


Has anything regarding basic_auth changed in latest versions?

Since I applied this upgrade (216.2 first and 217.1 after) we now get an initial http auth logging but then another n8n user login screen.

Is this now mandatory?
What is the default password in that case as we never configured smtp or the users email on our self-hosted n8n?
Can we maintain just http auth + our own proxy ip whitelist?

Hey @luison,

Do you have the user management feature disabled? There is no default password for it so if you are seeing a username and password prompt instead of the setup it would suggest either someone has set it up or there is a bug introduced that we are not aware of.

I would suggest opening a new topic and completing the template so we can find out more about your environment and see if we can work out where the issue is.

Hi @Jon, thanks for prompt reply.
No we have not changed anything and always been using basic_auth by using env vars for:

and user and password

but now do get the n8n login after filling that up. We have no smtp or other related auth flag on our settings.