Authenticated Sandbox-Escape RCE Vulnerabilities in n8n Workflow Automation
JFrog researchers disclosed two vulnerabilities in the n8n workflow automation platform that allow an authenticated attacker to escape built-in sandboxes and achieve remote code execution (RCE) on the main n8n node, potentially leading to full instance compromise and access to sensitive connected systems (e.g., APIs, credentials, and internal tooling). The issues are tracked as CVE-2026-1470 (CVSS 9.9) and CVE-2026-0863 (CVSS 8.5); exploitation is possible even in configurations where n8n runs in “internal” execution mode, which n8n documentation already warns is risky for production due to weaker isolation between the application and task runner processes.
Technical details indicate both flaws are sandbox escapes driven by language/runtime edge cases: CVE-2026-1470 abuses JavaScript expression sandboxing (including with-statement handling) to resolve a constructor path to Function and execute arbitrary JavaScript, while CVE-2026-0863 escapes the Python task executor sandbox via Python introspection and runtime behavior (notably Python 3.10+ AttributeError.obj) to regain access to restricted builtins/imports and execute OS commands. Recommended remediation is to upgrade n8n to fixed versions (for CVE-2026-1470: 1.123.17, 2.4.5, or 2.5.1; for CVE-2026-0863: 1.123.14, 2.3.5, or 2.4.2).
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Public detection and exploit interest emerges around vulnerable n8n instances
By January 29, 2026, reporting noted public Nuclei templates for identifying vulnerable n8n deployments and indicated a proof-of-concept for CVE-2026-0863 might be added to JFrog's technical write-up. This raised concern that attackers would begin scanning for exposed self-hosted instances.
JFrog publicly discloses technical details of the two n8n flaws
On January 28, 2026, JFrog publicly disclosed the vulnerabilities, explaining that CVE-2026-1470 abuses JavaScript sandbox weaknesses and CVE-2026-0863 exploits Python runtime behavior in internal execution mode. Researchers warned that successful exploitation could expose credentials, API keys, and connected enterprise systems.
n8n releases patches for CVE-2026-1470 and CVE-2026-0863
n8n issued fixes across multiple supported version branches for the two vulnerabilities, and n8n Cloud was reported as already remediated. Unpatched self-hosted and cloud deployments remained exposed depending on version and configuration.
JFrog discovers and reports two n8n sandbox escape vulnerabilities
JFrog Security Research identified CVE-2026-1470 in n8n's JavaScript expression engine and CVE-2026-0863 in its Python Code node, both allowing authenticated users with workflow creation or edit access to achieve remote code execution. The flaws enable sandbox escape and potential full takeover of affected n8n instances.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Two n8n sandbox escape vulnerabilities allow RCE | SC Media
scworld.com
Open sourceCVE-2026-1470 & CVE-2026-0863: Severe Sandbox Escape Vulnerabilities Expose n8n Instances to RCE
socradar.io
Open sourceMore Critical Flaws on n8n Could Compromise Customer Security
darkreading.com
Open sourceNew sandbox escape flaw exposes n8n instances to RCE attacks
bleepingcomputer.com
Open sourceTwo High-Severity n8n Flaws Allow Authenticated Remote Code Execution
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical n8n Expression Sandbox Escape Leading to Authenticated RCE (CVE-2026-25049)
A **critical remote code execution** issue in the *n8n* open-source workflow automation platform, tracked as **CVE-2026-25049** (also published as **GHSA-6cqr-8cfr-67f8**), allows an **authenticated** user with permission to create or modify workflows to escape n8n’s expression sandbox and execute arbitrary system commands on the underlying host. The flaw stems from **insufficient input sanitization/weak sandboxing** in n8n’s expression evaluation (server-side JavaScript) and was identified during follow-up analysis after an earlier critical n8n vulnerability (**CVE-2025-68613**) was patched; researchers report the new issue effectively **bypasses prior mitigations**. Reporting indicates exploitation can lead to **full compromise** of the n8n instance, including access to the filesystem and the ability to **steal stored credentials and secrets** (e.g., API keys, OAuth tokens) and sensitive configuration, with potential for **pivoting** into connected internal services and cloud accounts in multi-tenant deployments. Public reporting also notes **public exploits** are available. n8n maintainers state the issue is patched, and affected organizations should upgrade to fixed releases (**1.123.17** and **2.5.2**), as versions **prior to 1.123.17 and 2.5.2** are impacted.
Mar 21, 2026
Multiple n8n Vulnerabilities Enable RCE, Sandbox Escapes, and Stored XSS
Security researchers and CVE disclosures reported multiple vulnerabilities in the *n8n* workflow automation platform that can enable **remote code execution (RCE)**, **sandbox escapes**, and **stored XSS** under various conditions. Akamai highlighted exploitation interest from **Zerobot** targeting n8n via **CVE-2025-68613**, a critical expression-evaluation sandboxing failure affecting versions `0.211.0` through `1.20.4` (and `1.21.1`/`1.22.0`), where a logged-in (non-admin) user could break out of the expression context to execute arbitrary code, read/write server files, steal environment variables (e.g., API keys), and establish persistence; a public PoC was noted as available. Subsequent advisories describe additional n8n flaws patched after the earlier expression-sandbox issue, generally requiring an authenticated user who can create/modify workflows, except where noted. **CVE-2026-27577** covers further expression-evaluation abuse leading to host command execution; **CVE-2026-27495** describes a **JavaScript Task Runner** sandbox escape that can lead to full host compromise when internal runners are used (enabled via `N8N_RUNNERS_ENABLED=true`), with external runner mode (`N8N_RUNNERS_MODE=external`) reducing blast radius; **CVE-2026-27497** describes potential RCE and arbitrary file write via the **Merge node** in SQL query mode; and **CVE-2026-27578** describes **stored XSS** across multiple nodes (e.g., Webhook/Form/Chat-related nodes) enabling session hijacking/account takeover when victims view affected pages. **CVE-2026-27493** adds a second-order, potentially **unauthenticated** expression injection path via **Form nodes** (triggered by crafted input beginning with `=` under specific workflow configurations) that can escalate to RCE only when chained with a separate sandbox escape. Fixes are reported in n8n `2.10.1` (and, depending on branch, `2.9.3` / `1.123.22`), with interim mitigations including restricting workflow edit permissions and disabling specific nodes via `NODES_EXCLUDE` (e.g., `n8n-nodes-base.webhook`, `n8n-nodes-base.merge`, `n8n-nodes-base.form`, `n8n-nodes-base.formTrigger`).
Mar 30, 2026
Critical n8n Vulnerabilities Enabling RCE and Sandbox Escapes
Government cyber agencies in Belgium and Canada warned that **n8n** released security updates to address multiple **critical vulnerabilities** that could allow attackers to compromise workflow automation instances, particularly those exposed to the internet. The advisories emphasize that n8n often orchestrates actions across interconnected systems, increasing blast radius if compromised, and urge administrators to **patch immediately** to protect confidentiality, integrity, and availability. The Belgian CCB advisory highlights three critical CVEs—**CVE-2026-27495**, **CVE-2026-27577**, and **CVE-2026-27497** (each scored **CVSS 9.4**) affecting n8n versions prior to **2.10.1 / 2.9.3 / 1.123.22**, including issues mapped to **CWE-94 (code injection)** and **CWE-89 (SQL injection)**. It describes **sandbox escape leading to arbitrary code execution** in the JavaScript Task Runner (notably impacting the default internal Task Runner mode) and abuse of crafted workflow expressions by authenticated users with workflow modification permissions; Canada’s Cyber Centre advisory (AV26-176) additionally enumerates impacted components and attack classes including **RCE via Merge Node**, **expression sandbox escape to RCE**, **JavaScript Task Runner sandbox escape**, **unauthenticated expression evaluation via Form Node**, and **stored XSS across multiple nodes**, directing organizations to apply n8n’s upstream fixes.
May 18, 2026