Describe the problem/error/question
Hi n8n team,
I’d like to verify the patch level for two security issues.
Q1 (main): What is the minimum n8n version that includes fixes for both CVE-2026-21858 and CVE-2025-68613?
→ I’m looking for the earliest tag that contains both fixes so I can plan a single upgrade.
Q2 (backports): Were the fixes backported across each maintained minor line? If yes, please list the minimum patched patch release per line, for example:
• 1.120.x → fixed since 1.120.?
• 1.121.x → fixed since 1.121.?
• 1.122.x → fixed since 1.122.?
Context (public info, for reference only):
• CVE-2026-21858 — advisory indicates a fix in 1.121.0 (published Jan 7, 2026).
• CVE-2025-68613 — NVD lists fixes in 1.120.4, 1.121.1, 1.122.0 (published Dec 19, 2025; last modified Jan 2, 2026).
Environment: self-hosted (Docker/K8s), current n8n version: (fill in).
Upgrade plan: We intend to move to the earliest version that contains both fixes (or the latest stable you recommend). Please also share the corresponding release notes/advisory links for the confirmed tag.
Thanks!