Critical n8n Vulnerabilities Enable Remote Code Execution and Credential Exposure
Recent analyses have uncovered significant security vulnerabilities within the n8n workflow automation platform, potentially allowing attackers to execute arbitrary commands and access sensitive credentials.
Identified Vulnerabilities:
1. CVE-2026-27577 (CVSS Score: 9.4): This flaw involves a sandbox escape in the expression compiler. A missing case in the Abstract Syntax Tree (AST) rewriter permits the ‘process’ object to bypass transformations, granting authenticated users the ability to execute arbitrary code on the host system.
2. CVE-2026-27493 (CVSS Score: 9.5): Dubbed a double-evaluation bug, this vulnerability exists within n8n’s Form nodes. Publicly accessible form endpoints, which do not require authentication, can be exploited to inject expressions. For instance, an attacker could manipulate a Contact Us form by entering a malicious payload into the Name field, leading to the execution of shell commands.
Pillar Security researcher Eilon Cohen, who identified these issues, emphasized the severity of these vulnerabilities, noting that they could lead to full system compromise.
Potential Impact:
Exploitation of these vulnerabilities could result in:
– Remote Code Execution (RCE): Attackers may execute arbitrary commands on the n8n host, potentially leading to full system control.
– Credential Exposure: By accessing the N8N_ENCRYPTION_KEY environment variable, attackers can decrypt stored credentials, including AWS keys, database passwords, OAuth tokens, and API keys.
Affected Versions:
Both self-hosted and cloud deployments of n8n are impacted:
– Versions: Below 1.123.22, between 2.0.0 and 2.9.3, and between 2.10.0 and 2.10.1.
– Fixed in: Versions 2.10.1, 2.9.3, and 1.123.22.
Mitigation Measures:
To address these vulnerabilities, users are advised to:
– Update n8n: Upgrade to the patched versions (2.10.1, 2.9.3, or 1.123.22) to remediate the identified issues.
– Restrict Permissions: Limit workflow creation and editing rights to trusted users to minimize potential exploitation.
– Harden Environment: Deploy n8n in a secure environment with restricted operating system privileges and network access.
– Disable Vulnerable Nodes: For CVE-2026-27493, consider disabling the Form node by adding ‘n8n-nodes-base.form’ to the NODES_EXCLUDE environment variable, and the Form Trigger node by adding ‘n8n-nodes-base.formTrigger’ to the same variable.
It’s important to note that these workarounds are temporary and do not fully eliminate the risk. Therefore, applying the official patches is strongly recommended.
Additional Vulnerabilities Addressed:
In addition to the aforementioned flaws, n8n has patched two other critical vulnerabilities:
1. CVE-2026-27495 (CVSS Score: 9.4): An authenticated user with workflow modification permissions could exploit a code injection vulnerability in the JavaScript Task Runner sandbox, allowing code execution outside the sandbox.
2. CVE-2026-27497 (CVSS Score: 9.4): This vulnerability enables an authenticated user to use the Merge node’s SQL query mode to execute arbitrary code and write files on the n8n server.
Recommendations for Users:
Given the critical nature of these vulnerabilities, users should:
– Apply Patches Promptly: Ensure that n8n instances are updated to the latest versions to protect against these vulnerabilities.
– Review Workflow Configurations: Assess existing workflows for potential security risks and adjust configurations as necessary.
– Monitor Systems: Implement monitoring to detect any unusual activity that may indicate exploitation attempts.
By taking these steps, organizations can safeguard their systems against potential attacks targeting these vulnerabilities.
