CERT-In reports n8n and VMware Fusion flaws

CERT-In issued two vulnerability notes dated May 21 covering a new batch of n8n flaws and a privilege-escalation bug in VMware Fusion, adding to a run of recent alerts around developer tooling and virtualization software. The Indian government incident-response agency rated the n8n issues “CRITICAL” and the VMware Fusion flaw “HIGH,” and said organizations using the affected products should apply vendor updates. (cert-in.org.in) The notices describe risks ranging from arbitrary code execution and unauthorized access in n8n to root-level privilege escalation on hosts running VMware Fusion. CERT-In linked both notes to vendor guidance and patch information. ### Which products did CERT-In flag this week? CERT-In’s first note, CIVN-2026-0252, covers multiple vulnerabilities in n8n, the workflow automation platform used to connect apps, APIs and internal systems. (cert-in.org.in) The agency said the affected releases include versions prior to 1.123.32, 2.17.4 and 2.18.1, and also versions prior to 1.123.43, 2.20.7 and 2.22.1. CERT-In’s second note, CIVN-2026-0253, covers VMware Fusion 25H2. The agency said the flaw could allow a local attacker to escalate privileges and gain root access on the affected system. ### What did CERT-In say the n8n bugs could let an attacker do? (cert-in.org.in) CERT-In said the n8n vulnerabilities may allow an attacker to execute arbitrary code, gain unauthorized access, disclose sensitive information, perform privilege escalation or compromise the targeted system. The note says the issues stem from improper access control, insecure webhook handling and insufficient input validation. The agency said the target audience for the n8n note is “all end-user organizations responsible for deploying, securing, and maintaining n8n.” It assessed the risk as high for remote code execution, unauthorized access, privilege escalation and sensitive-information disclosure, and said successful exploitation could lead to full system takeover and data exposure. (cert-in.org.in 1) (cert-in.org.in 2) ### Why does the n8n alert matter beyond a single app? n8n is described in CERT-In’s note as a low-code, open-source workflow automation platform used to automate business processes and integrate software systems. That makes the alert relevant to teams that run internal automations, connect cloud services, or use n8n in developer and operations workflows. (cert-in.org.in) Because n8n commonly sits between apps, APIs and internal services, the exposure described by CERT-In includes both access-control and code-execution risk if vulnerable instances remain unpatched. That is an inference from the agency’s description of n8n’s role and the listed impacts, not a separate vendor statement. (cert-in.org.in) ### What is the VMware Fusion flaw? CERT-In said the VMware Fusion issue is a Time-of-Check Time-of-Use, or TOCTOU, race condition in a SETUID binary within VMware Fusion. The note says a local attacker with limited privileges could exploit the flaw to manipulate execution flow, gain elevated privileges on the host system, obtain root access and execute arbitrary commands with those privileges. (cert-in.org.in) The VMware note lists CVE-2026-41702 and says the potential impact includes compromise of confidentiality, integrity and availability, including complete system compromise. CERT-In identified organizations and individuals using affected VMware Fusion as the target audience. (cert-in.org.in) ### What versions and fixes should users check now? CERT-In said n8n users should apply the updates referenced in five GitHub security advisories linked from the note. The agency did not reproduce the full remediation text in the note itself, but directed users to vendor guidance for the patched versions it listed. Broadcom’s VMware guidance is linked directly from CERT-In’s VMware Fusion note through the vendor’s security advisory and VMware Fusion 26H1 release notes. (cert-in.org.in) CERT-In said affected users should apply the appropriate updates referenced there. ### What happens next for defenders? May 21 is the original issue date on both CERT-In notes, and the agency’s public vulnerability pages now carry the affected-version details, impact descriptions and vendor references. (cert-in.org.in) Organizations running n8n or VMware Fusion can use note IDs CIVN-2026-0252 and CIVN-2026-0253 to match their deployments against the listed versions and vendor advisories. (cert-in.org.in)