Key Takeaways
- Two new security flaws have been discovered in the n8n workflow automation platform, including a critical vulnerability that could result in remote code execution.
- The vulnerabilities, CVE-2026-1470 and CVE-2026-0863, have CVSS scores of 9.9 and 8.5, respectively, and could allow an authenticated user to bypass sandbox mechanisms and execute arbitrary code.
- Successful exploitation of the flaws could permit an attacker to hijack an entire n8n instance, including in scenarios where it’s operating under "internal" execution mode.
- Users are advised to update to specific versions of n8n to address the flaws, including 1.123.17, 2.4.5, or 2.5.1 for CVE-2026-1470, and 1.123.14, 2.3.5, or 2.4.2 for CVE-2026-0863.
Introduction to the Vulnerabilities
Cybersecurity researchers have recently disclosed two new security flaws in the n8n workflow automation platform, a tool used to automate AI workflows across organizations. The weaknesses, discovered by the JFrog Security Research team, include a critical vulnerability that could result in remote code execution. The vulnerabilities, listed as CVE-2026-1470 and CVE-2026-0863, have CVSS scores of 9.9 and 8.5, respectively, indicating a high level of severity. These vulnerabilities could allow an authenticated user to bypass the Expression sandbox mechanism and achieve full remote code execution on n8n’s main node, or bypass n8n’s python-task-executor sandbox restrictions and run arbitrary Python code on the underlying operating system.
Technical Details of the Vulnerabilities
The first vulnerability, CVE-2026-1470, is an eval injection vulnerability that could allow an authenticated user to bypass the Expression sandbox mechanism and achieve full remote code execution on n8n’s main node. This is done by passing specially crafted JavaScript code, which can exploit the eval injection vulnerability and allow the attacker to execute arbitrary code. The second vulnerability, CVE-2026-0863, is also an eval injection vulnerability, but it allows an authenticated user to bypass n8n’s python-task-executor sandbox restrictions and run arbitrary Python code on the underlying operating system. Both vulnerabilities could be exploited by an attacker to gain control over the n8n instance, including in scenarios where it’s operating under "internal" execution mode.
Impact of the Vulnerabilities
The successful exploitation of these flaws could have significant consequences, as n8n is used to automate AI workflows across organizations and has access to sensitive data and systems. As noted by JFrog, "n8n spans an entire organization to automate AI workflows, it holds the keys to core tools, functions, and data from infrastructure, including LLM APIs, sales data, and internal IAM systems, among others." This means that an attacker who gains control over an n8n instance could potentially access and manipulate sensitive data, disrupt business operations, and move laterally within the organization. The vulnerabilities highlight the importance of proper security measures, including regular updates and patches, to prevent such attacks.
Recommendations for Users
To address the flaws, users are advised to update to specific versions of n8n, including 1.123.17, 2.4.5, or 2.5.1 for CVE-2026-1470, and 1.123.14, 2.3.5, or 2.4.2 for CVE-2026-0863. Users should also consider switching to external mode to ensure proper isolation between n8n and task runner processes, as recommended by n8n in its documentation. Additionally, users should be aware of the potential risks associated with using internal mode in production environments and take steps to mitigate these risks. By taking these steps, users can help prevent the exploitation of these vulnerabilities and protect their organizations from potential attacks.
Broader Implications
The discovery of these vulnerabilities highlights the challenges of safely sandboxing dynamic, high-level languages such as JavaScript and Python. Even with multiple validation layers, deny lists, and AST-based controls in place, subtle language features and runtime behaviors can be leveraged to bypass security assumptions. As noted by researcher Nathan Nehorai, "deprecated or rarely used constructs, combined with interpreter changes and exception handling behavior, were enough to break out of otherwise restrictive sandboxes and achieve remote code execution." This underscores the importance of ongoing security research and testing to identify and address potential vulnerabilities, as well as the need for developers to prioritize security when designing and implementing software applications.
Conclusion
In conclusion, the discovery of two new security flaws in the n8n workflow automation platform highlights the importance of proper security measures and ongoing research to identify and address potential vulnerabilities. The vulnerabilities, CVE-2026-1470 and CVE-2026-0863, could allow an authenticated user to bypass sandbox mechanisms and execute arbitrary code, potentially giving an attacker control over the entire n8n instance. Users are advised to update to specific versions of n8n and take steps to mitigate the risks associated with using internal mode in production environments. By prioritizing security and taking proactive measures to address potential vulnerabilities, organizations can help protect themselves from potential attacks and ensure the integrity of their systems and data.
