Cybersecurity researchers have disclosed particulars of two now-patched safety flaws within the n8n workflow automation platform, together with two important bugs that might lead to arbitrary command execution.
The vulnerabilities are listed beneath –
- CVE-2026-27577 (CVSS rating: 9.4) – Expression sandbox escape resulting in distant code execution (RCE)
- CVE-2026-27493 (CVSS rating: 9.5) – Unauthenticated expression analysis through n8n’s Type nodes
“CVE-2026-27577 is a sandbox escape within the expression compiler: a lacking case within the AST rewriter lets course of slip by means of untransformed, giving any authenticated expression full RCE,” Pillar Safety researcher Eilon Cohen, who found and reported the problems, stated in a report shared with The Hacker Information.
The cybersecurity firm described CVE-2026-27493 as a “double-evaluation bug” in n8n’s Type nodes that may very well be abused for expression injection by making the most of the truth that the shape endpoints are public by design and require neither authentication nor an n8n account.
All it takes for profitable exploitation is to leverage a public “Contact Us” kind to execute arbitrary shell instructions by merely offering a payload as enter into the Title subject.
In an advisory launched late final month, n8n stated CVE-2026-27577 may very well be weaponized by an authenticated consumer with permission to create or modify workflows to set off unintended system command execution on the host operating n8n through crafted expressions in workflow parameters.
N8n additionally famous that CVE-2026-27493, when chained with an expression sandbox escape like CVE-2026-27577, may “escalate to distant code execution on the n8n host.” Each vulnerabilities have an effect on the self-hosted and cloud deployments of n8n –
- < 1.123.22, >= 2.0.0 < 2.9.3, and >= 2.10.0 < 2.10.1 – Fastened in variations 2.10.1, 2.9.3, and 1.123.22
If quick patching of CVE-2026-27577 shouldn’t be an choice, customers are suggested to restrict workflow creation and enhancing permissions to completely trusted customers and deploy n8n in a hardened surroundings with restricted working system privileges and community entry.
As for CVE-2026-27493, n8n recommends the next mitigations –
- Evaluation the utilization of kind nodes manually for the above-mentioned preconditions.
- Disable the Type node by including n8n-nodes-base.kind to the NODES_EXCLUDE surroundings variable.
- Disable the Type Set off node by including n8n-nodes-base.formTrigger to the NODES_EXCLUDE surroundings variable.
“These workarounds don’t totally remediate the danger and will solely be used as short-term mitigation measures,” the maintainers cautioned.
Pillar Safety stated an attacker may exploit these flaws to learn the N8N_ENCRYPTION_KEY surroundings variable and use it to decrypt each credential saved in n8n’s database, together with AWS keys, database passwords, OAuth tokens, and API keys.
N8n variations 2.10.1, 2.9.3, and 1.123.22 additionally resolve two extra important vulnerabilities that is also abused to realize arbitrary code execution –
- CVE-2026-27495 (CVSS rating: 9.4) – An authenticated consumer with permission to create or modify workflows may exploit a code injection vulnerability within the JavaScript Process Runner sandbox to execute arbitrary code exterior the sandbox boundary.
- CVE-2026-27497 (CVSS rating: 9.4) – An authenticated consumer with permission to create or modify workflows may leverage the Merge node’s SQL question mode to execute arbitrary code and write arbitrary recordsdata on the n8n server.
In addition to limiting workflow creation and enhancing permissions to trusted customers, n8n has outlined the workarounds beneath for every flaw –
- CVE-2026-27495 – Use exterior runner mode (N8N_RUNNERS_MODE=exterior) to restrict the blast radius.
- CVE-2026-27497 – Disable the Merge node by including n8n-nodes-base.merge to the NODES_EXCLUDE surroundings variable.
Whereas n8n makes no point out of any of those vulnerabilities being exploited within the wild, customers are suggested to maintain their installations up-to-date for optimum safety.
