Two vital sandbox escape flaws within the in style n8n workflow automation platform are permitting authenticated customers to realize distant code execution on affected cases.
In line with new JFrog findings, sandboxing safeguards meant to comprise untrusted workflow logic may be bypassed, exposing enterprise automation environments to full host compromise. Enterprises that depend on n8n to orchestrate integrations, automate inside processes, and streamline cloud companies and on-prem methods are in danger. JFrog’s researchers mentioned n8n’s sandboxing mechanism can fail in particular configurations when customers consider expressions or run customized scripts.
Sandbox escapes can expose delicate credentials, APIs, and infrastructure from affected workflow engines.
Expression engine sandbox escape permits JavaScript RCE
One of many points recognized by JFrog impacts n8n’s JavaScript expression engine, designed to guage user-supplied expressions throughout workflow execution safely. In line with the researchers, flaws in how expressions are sanitized enable an attacker with permission to create or edit workflows to flee the sandbox and execute arbitrary JavaScript on the underlying host.
JFrog defined in a weblog put up that the expressions engine’s protections may be bypassed by rigorously crafted payloads that exploit assumptions within the sandboxing logic. As soon as escaped, the attacker is now not restricted to expression analysis and may run arbitrary instructions within the context of the n8n service.
“When the expression engine encounters a {{}} block, it processes the enclosed content material by bypassing it to a JavaScript Operate constructor, which then executes the provided code,” the researchers mentioned. n8n makes use of an AST-based sandbox to neutralize harmful JavaScript constructs earlier than execution. A missed edge case within the outdated “with assertion” permits attackers to bypass these checks and obtain arbitrary code execution.
The vulnerability has been assigned CVE-2026-1470 and carries a vital severity ranking of CVSS 9.9 out of 10, owing to the benefit with which sandbox restrictions may be damaged and the extent of entry gained post-exploitation.
Python code node escape breaks isolation
JFrog additionally recognized a separate sandbox escape affecting n8n’s Python Code node when the platform is configured to make use of its “Inner” execution mode. On this case, restrictions meant to comprise Python code execution may be bypassed, once more permitting authenticated customers to run arbitrary code exterior the sandbox.
The second subject, tracked as CVE-2026-0863, obtained a excessive severity ranking of CVSS 8.5 out of 10. Whereas the exploitation depends upon particular configuration decisions, JFrog famous that inside execution mode is usually utilized in self-hosted enterprise deployments for efficiency and operational simplicity.
The researchers demonstrated how Python sandbox constraints may be evaded, granting entry to system sources that needs to be off-limits.
Pressing must replace
Each points have been patched, and enterprises operating n8n ought to guarantee they’re on up to date variations. Till patches are utilized, organizations are advisable to rigorously evaluation who has permissions to create or edit workflows, notably in environments the place n8n has entry to inside networks, secrets and techniques, or privileged APIs.
CVE-2026-1470 has been fastened in model 1.123.17, 2.4.5, and a pair of.5.1, whereas CVE-2026-0863 is resolved in model 1.123.14, 2.3.5, and a pair of.4.2. Upgrading to any of those variations mitigates the chance of exploitation, researchers famous.
