Two High-Severity n8n Vulnerabilities – Authenticated RCE

January 29, 2026 Faeem BLOGS 0

Security researchers at JFrog have disclosed two critical flaws in the n8n workflow automation platform, both enabling authenticated remote code execution (RCE). These vulnerabilities pose a serious risk given n8n’s role in automating workflows across entire organizations.

Vulnerability Details

  • CVE-2026-1470
    • CVSS: 9.9 (Critical)
    • Type: Eval injection in the Expression sandbox.
    • Impact: Authenticated users can bypass sandbox restrictions and execute arbitrary JavaScript code on the main node.
  • CVE-2026-0863
    • CVSS: 8.5 (High)
    • Type: Eval injection in the python-task-executor sandbox.
    • Impact: Authenticated users can run arbitrary Python code on the underlying OS.

Exploitation Risks

  • Attackers could hijack an entire n8n instance, even in internal execution mode.
  • n8n documentation already warns that internal mode is unsafe for production, urging use of external mode for proper isolation.
  • Because n8n integrates with LLM APIs, IAM systems, sales data, and infrastructure tools, exploitation could act as a “skeleton key” to corporate systems.

Patch & Mitigation

  • CVE-2026-1470: Fixed in versions 1.123.17, 2.4.5, 2.5.1.
  • CVE-2026-0863: Fixed in versions 1.123.14, 2.3.5, 2.4.2.
  • Recommendation:
    • Upgrade immediately to patched versions.
    • Avoid running n8n in internal mode in production.
    • Audit workflows for suspicious activity and privilege escalation attempts.

Context

  • These disclosures follow CVE-2026-21858 (Ni8mare), a maximum-severity flaw allowing unauthenticated RCE, reported weeks earlier by Cyera Labs.
  • As of Jan 27, 2026, Shadowserver data shows 39,000+ n8n instances remain vulnerable.
  • Researchers emphasize the difficulty of sandboxing dynamic languages like JavaScript and Python—rare constructs, interpreter quirks, and exception handling can break isolation.

Defensive Recommendations

  • Patch quickly: Apply the latest n8n updates.
  • Segmentation: Run n8n in isolated environments with strict access controls.
  • Monitoring: Enable logging to detect abnormal workflow executions.
  • Threat hunting: Look for signs of sandbox escape attempts or unauthorized code execution.
  • Backup & recovery: Ensure secure backups in case of compromise.

Takeaway

These flaws highlight the fragility of sandboxing in workflow automation platforms. With n8n acting as a central automation hub, exploitation could cascade across critical systems. Organizations should patch immediately, switch to external execution mode, and monitor for compromise indicators.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.