Multiple n8n Vulnerabilities Enable RCE, Sandbox Escapes, and Stored XSS
Security researchers and CVE disclosures reported multiple vulnerabilities in the n8n workflow automation platform that can enable remote code execution (RCE), sandbox escapes, and stored XSS under various conditions. Akamai highlighted exploitation interest from Zerobot targeting n8n via CVE-2025-68613, a critical expression-evaluation sandboxing failure affecting versions 0.211.0 through 1.20.4 (and 1.21.1/1.22.0), where a logged-in (non-admin) user could break out of the expression context to execute arbitrary code, read/write server files, steal environment variables (e.g., API keys), and establish persistence; a public PoC was noted as available.
Subsequent advisories describe additional n8n flaws patched after the earlier expression-sandbox issue, generally requiring an authenticated user who can create/modify workflows, except where noted. CVE-2026-27577 covers further expression-evaluation abuse leading to host command execution; CVE-2026-27495 describes a JavaScript Task Runner sandbox escape that can lead to full host compromise when internal runners are used (enabled via N8N_RUNNERS_ENABLED=true), with external runner mode (N8N_RUNNERS_MODE=external) reducing blast radius; CVE-2026-27497 describes potential RCE and arbitrary file write via the Merge node in SQL query mode; and CVE-2026-27578 describes stored XSS across multiple nodes (e.g., Webhook/Form/Chat-related nodes) enabling session hijacking/account takeover when victims view affected pages. CVE-2026-27493 adds a second-order, potentially unauthenticated expression injection path via Form nodes (triggered by crafted input beginning with = under specific workflow configurations) that can escalate to RCE only when chained with a separate sandbox escape. Fixes are reported in n8n 2.10.1 (and, depending on branch, 2.9.3 / 1.123.22), with interim mitigations including restricting workflow edit permissions and disabling specific nodes via NODES_EXCLUDE (e.g., n8n-nodes-base.webhook, n8n-nodes-base.merge, n8n-nodes-base.form, n8n-nodes-base.formTrigger).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
n8n fixes CVE-2026-33660 Merge node AlaSQL RCE flaw
n8n fixed CVE-2026-33660, a vulnerability in the Merge node's 'Combine by SQL' mode that let authenticated users with workflow creation or modification rights read local files and potentially achieve remote code execution. The flaw affected versions prior to 2.14.1, 2.13.3, and 1.123.26, and n8n advised immediate upgrades and temporary mitigations such as restricting workflow editing and disabling the Merge node.
n8n fixes CVE-2026-33696 prototype pollution RCE flaw
n8n fixed CVE-2026-33696, a prototype pollution vulnerability in the XML and GSuiteAdmin nodes that could let authenticated users with workflow creation or modification rights achieve remote code execution. The issue affected versions prior to 2.14.1, 2.13.3, and 1.123.27, and n8n advised immediate upgrades plus temporary mitigations such as restricting workflow editing and disabling the XML node.
Akamai reports Zerobot targeting n8n via CVE-2025-68613
Akamai published research stating that Zerobot malware was targeting the n8n automation platform through CVE-2025-68613. The report highlighted active attacker interest in the flaw and reiterated the severe impact of compromise on n8n instances.
Public PoC becomes available for CVE-2025-68613
By late February 2026, a public proof-of-concept exploit was available for CVE-2025-68613, lowering the barrier to exploitation of the n8n expression-evaluation RCE flaw. Akamai described the issue as easy to exploit and high impact because it could expose files, environment variables, and integrated services.
n8n patches multiple additional vulnerabilities across workflow components
n8n released fixes for several newly disclosed vulnerabilities affecting versions prior to 2.10.1, 2.9.3, and 1.123.22, including expression sandbox escapes, Merge node RCE, JavaScript Task Runner sandbox escape, Form node expression injection, and stored XSS in multiple nodes. The fixes were made available in versions 2.10.1, 2.9.3, and 1.123.22, with guidance to upgrade and apply temporary mitigations if immediate patching was not possible.
n8n publishes security advisory for versions 1.65-1.120.4
n8n published a security advisory covering vulnerabilities affecting versions 1.65 through 1.120.4. The advisory represents a separate disclosure from the earlier CVE-2025-68613 sandbox-escape issue and the later February 2026 multi-vulnerability patch release.
n8n discloses critical RCE flaw CVE-2025-68613
In mid-December 2025, n8n disclosed CVE-2025-68613, a critical remote code execution vulnerability in workflow expression evaluation caused by insufficient sandboxing. The flaw allowed a standard authenticated user to escape the expression sandbox and execute arbitrary code on the n8n server.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Critical n8n Vulnerability Let Attackers Achieve Remote Code Execution
cybersecuritynews.com
Open sourceCVE-2026-33660 - n8n Has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode
cvefeed.io
Open sourceCVE-2026-33696 - n8n Vulnerable to Prototype Pollution in XML & GSuiteAdmin node parameters lead to RCE
cvefeed.io
Open sourceZerobot Malware Targets n8n Automation Platform
akamai.com
Open sourceCVE-2026-27495 - n8n has a Sandbox Escape in its JavaScript Task Runner
cvefeed.io
Open sourceCVE-2026-27577 - n8n: Expression Sandbox Escape Leads to RCE
cvefeed.io
Open sourceSecurity Advisory: Security Vulnerability in n8n Versions 1.65-1.120.4 - n8n Blog
blog.n8n.io
Open sourceGeordie AI | n8n Vulnerabilities Explained: Risk Exposure & Remediation | Security Advisory
geordie.ai
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical n8n Vulnerabilities Enabling RCE and Sandbox Escapes
Government cyber agencies in Belgium and Canada warned that **n8n** released security updates to address multiple **critical vulnerabilities** that could allow attackers to compromise workflow automation instances, particularly those exposed to the internet. The advisories emphasize that n8n often orchestrates actions across interconnected systems, increasing blast radius if compromised, and urge administrators to **patch immediately** to protect confidentiality, integrity, and availability. The Belgian CCB advisory highlights three critical CVEs—**CVE-2026-27495**, **CVE-2026-27577**, and **CVE-2026-27497** (each scored **CVSS 9.4**) affecting n8n versions prior to **2.10.1 / 2.9.3 / 1.123.22**, including issues mapped to **CWE-94 (code injection)** and **CWE-89 (SQL injection)**. It describes **sandbox escape leading to arbitrary code execution** in the JavaScript Task Runner (notably impacting the default internal Task Runner mode) and abuse of crafted workflow expressions by authenticated users with workflow modification permissions; Canada’s Cyber Centre advisory (AV26-176) additionally enumerates impacted components and attack classes including **RCE via Merge Node**, **expression sandbox escape to RCE**, **JavaScript Task Runner sandbox escape**, **unauthenticated expression evaluation via Form Node**, and **stored XSS across multiple nodes**, directing organizations to apply n8n’s upstream fixes.
May 25, 2026
Critical n8n Expression Sandbox Escape Leading to Authenticated RCE (CVE-2026-25049)
A **critical remote code execution** issue in the *n8n* open-source workflow automation platform, tracked as **CVE-2026-25049** (also published as **GHSA-6cqr-8cfr-67f8**), allows an **authenticated** user with permission to create or modify workflows to escape n8n’s expression sandbox and execute arbitrary system commands on the underlying host. The flaw stems from **insufficient input sanitization/weak sandboxing** in n8n’s expression evaluation (server-side JavaScript) and was identified during follow-up analysis after an earlier critical n8n vulnerability (**CVE-2025-68613**) was patched; researchers report the new issue effectively **bypasses prior mitigations**. Reporting indicates exploitation can lead to **full compromise** of the n8n instance, including access to the filesystem and the ability to **steal stored credentials and secrets** (e.g., API keys, OAuth tokens) and sensitive configuration, with potential for **pivoting** into connected internal services and cloud accounts in multi-tenant deployments. Public reporting also notes **public exploits** are available. n8n maintainers state the issue is patched, and affected organizations should upgrade to fixed releases (**1.123.17** and **2.5.2**), as versions **prior to 1.123.17 and 2.5.2** are impacted.
Mar 21, 2026
Authenticated Sandbox-Escape RCE Vulnerabilities in n8n Workflow Automation
JFrog researchers disclosed two vulnerabilities in the *n8n* workflow automation platform that allow an **authenticated** attacker to escape built-in sandboxes and achieve **remote code execution (RCE)** on the main n8n node, potentially leading to full instance compromise and access to sensitive connected systems (e.g., APIs, credentials, and internal tooling). The issues are tracked as **CVE-2026-1470** (CVSS **9.9**) and **CVE-2026-0863** (CVSS **8.5**); exploitation is possible even in configurations where n8n runs in “internal” execution mode, which n8n documentation already warns is risky for production due to weaker isolation between the application and task runner processes. Technical details indicate both flaws are sandbox escapes driven by language/runtime edge cases: **CVE-2026-1470** abuses JavaScript expression sandboxing (including `with`-statement handling) to resolve a constructor path to `Function` and execute arbitrary JavaScript, while **CVE-2026-0863** escapes the Python task executor sandbox via Python introspection and runtime behavior (notably Python 3.10+ `AttributeError.obj`) to regain access to restricted builtins/imports and execute OS commands. Recommended remediation is to upgrade n8n to fixed versions (for **CVE-2026-1470**: `1.123.17`, `2.4.5`, or `2.5.1`; for **CVE-2026-0863**: `1.123.14`, `2.3.5`, or `2.4.2`).
Mar 21, 2026