Cybersecurity researchers have disclosed particulars of two now-patched security flaws within the n8n workflow automation platform, together with two crucial bugs that would lead to arbitrary command execution.
The vulnerabilities are listed beneath –
- CVE-2026-27577 (CVSS rating: 9.4) – Expression sandbox escape resulting in distant code execution (RCE)
- CVE-2026-27493 (CVSS rating: 9.5) – Unauthenticated expression analysis by way of n8n’s Type nodes
“CVE-2026-27577 is a sandbox escape within the expression compiler: a lacking case within the AST rewriter lets course of slip by way of untransformed, giving any authenticated expression full RCE,” Pillar Safety researcher Eilon Cohen, who found and reported the problems, stated in a report shared with The Hacker Information.
The cybersecurity firm described CVE-2026-27493 as a “double-evaluation bug” in n8n’s Type nodes that could possibly be abused for expression injection by benefiting from the truth that the shape endpoints are public by design and require neither authentication nor an n8n account.
All it takes for profitable exploitation is to leverage a public “Contact Us” kind to execute arbitrary shell instructions by merely offering a payload as enter into the Identify subject.
In an advisory launched late final month, n8n stated CVE-2026-27577 could possibly be weaponized by an authenticated person with permission to create or modify workflows to set off unintended system command execution on the host working n8n by way of crafted expressions in workflow parameters.
N8n additionally famous that CVE-2026-27493, when chained with an expression sandbox escape like CVE-2026-27577, might “escalate to distant code execution on the n8n host.” Each vulnerabilities have an effect on the self-hosted and cloud deployments of n8n –
- < 1.123.22, >= 2.0.0 < 2.9.3, and >= 2.10.0 < 2.10.1 – Mounted in variations 2.10.1, 2.9.3, and 1.123.22
If instant patching of CVE-2026-27577 will not be an choice, customers are suggested to restrict workflow creation and enhancing permissions to completely trusted customers and deploy n8n in a hardened surroundings with restricted working system privileges and community entry.
As for CVE-2026-27493, n8n recommends the next mitigations –
- Overview the utilization of kind nodes manually for the above-mentioned preconditions.
- Disable the Type node by including n8n-nodes-base.kind to the NODES_EXCLUDE surroundings variable.
- Disable the Type Set off node by including n8n-nodes-base.formTrigger to the NODES_EXCLUDE surroundings variable.
“These workarounds don’t absolutely remediate the danger and may solely be used as short-term mitigation measures,” the maintainers cautioned.
Pillar Safety stated an attacker might exploit these flaws to learn the N8N_ENCRYPTION_KEY surroundings variable and use it to decrypt each credential saved in n8n’s database, together with AWS keys, database passwords, OAuth tokens, and API keys.
N8n variations 2.10.1, 2.9.3, and 1.123.22 additionally resolve two extra crucial vulnerabilities that may be abused to attain arbitrary code execution –
- CVE-2026-27495 (CVSS rating: 9.4) – An authenticated person with permission to create or modify workflows might exploit a code injection vulnerability within the JavaScript Activity Runner sandbox to execute arbitrary code exterior the sandbox boundary.
- CVE-2026-27497 (CVSS rating: 9.4) – An authenticated person with permission to create or modify workflows might leverage the Merge node’s SQL question mode to execute arbitrary code and write arbitrary recordsdata on the n8n server.
Apart from limiting workflow creation and enhancing permissions to trusted customers, n8n has outlined the workarounds beneath for every flaw –
- CVE-2026-27495 – Use exterior runner mode (N8N_RUNNERS_MODE=exterior) to restrict the blast radius.
- CVE-2026-27497 – Disable the Merge node by including n8n-nodes-base.merge to the NODES_EXCLUDE surroundings variable.
Whereas n8n makes no point out of any of those vulnerabilities being exploited within the wild, customers are suggested to maintain their installations up-to-date for optimum safety.
