Critical n8n Vulnerabilities Enable Remote Code Execution and Credential Theft

n8n, a popular workflow automation platform, has addressed four critical security vulnerabilities that allow attackers to take over self-hosted and cloud instances.

Vulnerabilities summary:

• CVE-2026-27577 (CVSS score 9.4) - An expression sandbox escape caused by a missing case in the Abstract Syntax Tree (AST) rewriter. This flaw allows the 'process' object to slip through untransformed, enabling authenticated users to run arbitrary shell commands with the privileges of the n8n service.
• CVE-2026-27493 (CVSS score 9.5) - A double-evaluation vulnerability in Form nodes that allows unauthenticated expression injection. By submitting form data starting with an '=' character to public endpoints, an attacker can trigger the evaluation of malicious expressions, which can be chained with a sandbox escape for unauthenticated remote code execution.

n8n often stores highly sensitive information to manage automated workflows. Attackers can exploit these vulnerabilities to read the N8N_ENCRYPTION_KEY environment variable, allowing them to decrypt the entire database of stored credentials. 

These vulnerabilities affect multiple versions of n8n on different release branches. Affected versions are earlier than 1.123.22, versions between 2.0.0 and 2.9.3, and versions between 2.10.0 and 2.10.1. The vendor has confirmed that both self-hosted and cloud-managed deployments are susceptible to these attack vectors before the patches were deployed.

Organizations must update to n8n versions 2.10.1, 2.9.3, or 1.123.22 ASAP. If patching is not possible, administrators should use the NODES_EXCLUDE environment variable to disable the Form and Merge nodes. Additionally, setting N8N_RUNNERS_MODE to 'external' can help isolate the JavaScript Task Runner and limit the potential damage from a sandbox escape.