{"id":6762,"date":"2026-01-29T12:38:54","date_gmt":"2026-01-29T12:38:54","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6762"},"modified":"2026-01-29T12:38:54","modified_gmt":"2026-01-29T12:38:54","slug":"critical-rce-bugs-expose-the-n8n-automation-platform-to-host%e2%80%91level-compromise","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6762","title":{"rendered":"Critical RCE bugs expose the n8n automation platform to host\u2011level compromise"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Two critical sandbox escape flaws in the popular n8n workflow automation platform are allowing authenticated users to achieve remote code execution on affected instances.<\/p>\n<p>According to new JFrog findings, sandboxing safeguards meant to contain untrusted workflow logic can be bypassed, exposing enterprise automation environments to <a href=\"https:\/\/www.csoonline.com\/article\/4113980\/critical-rce-flaw-allows-full-takeover-of-n8n-ai-workflow-platform.html\" target=\"_blank\" rel=\"noopener\">full host<\/a> compromise. Enterprises that rely on n8n to orchestrate integrations, automate internal processes, and streamline cloud services and on-prem systems are at risk. JFrog\u2019s researchers said n8n\u2019s sandboxing mechanism can fail in specific configurations when users evaluate expressions or run custom scripts.<\/p>\n<p>Sandbox escapes can expose sensitive credentials, APIs, and infrastructure from affected workflow engines.<\/p>\n<h2 class=\"wp-block-heading\">Expression engine sandbox escape enables JavaScript RCE<\/h2>\n<p>One of the issues identified by JFrog affects n8n\u2019s JavaScript expression engine, designed to evaluate user-supplied expressions during workflow execution safely. According to the researchers, flaws in how expressions are sanitized allow an attacker with permission to create or edit workflows to escape the sandbox and execute arbitrary JavaScript on the underlying host.<\/p>\n<p>JFrog explained in a blog <a href=\"https:\/\/research.jfrog.com\/post\/achieving-remote-code-execution-on-n8n-via-sandbox-escape\/\" target=\"_blank\" rel=\"noopener\">post<\/a> that the expressions engine\u2019s protections can be bypassed by carefully crafted payloads that exploit assumptions in the sandboxing logic. Once escaped, the attacker is no longer limited to expression evaluation and can run arbitrary commands in the context of the n8n service.<\/p>\n<p>\u201cWhen the expression engine encounters a {{}} block, it processes the enclosed content by bypassing it to a JavaScript Function constructor, which then executes the supplied code,\u201d the researchers said. <a href=\"https:\/\/www.csoonline.com\/article\/4115417\/malicious-npm-packages-target-n8n-automation-platform-in-a-supply-chain-attack.html\">n8n<\/a> uses an AST-based sandbox to neutralize dangerous JavaScript constructs before execution. A missed edge case in the outdated \u201cwith statement\u201d allows attackers to bypass these checks and achieve arbitrary code execution.<\/p>\n<p>The vulnerability has been assigned <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-1470\" target=\"_blank\" rel=\"noopener\">CVE-2026-1470<\/a> and carries a critical severity rating of CVSS 9.9 out of 10, owing to the ease with which sandbox restrictions can be broken and the level of access gained post-exploitation.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Python code node escape breaks isolation<\/h2>\n<p>JFrog also identified a separate sandbox escape affecting n8n\u2019s Python Code node when the platform is configured to use its \u201cInternal\u201d execution mode. In this case, restrictions intended to contain Python code execution can be bypassed, again allowing authenticated users to run arbitrary code outside the sandbox.<\/p>\n<p>The second issue, tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-0863\">CVE-2026-0863<\/a>, received a high severity rating of CVSS 8.5 out of 10. While the exploitation depends on specific configuration choices, JFrog noted that internal execution mode is commonly used in self-hosted enterprise deployments for performance and operational simplicity.<\/p>\n<p>The researchers demonstrated how Python sandbox constraints can be evaded, granting access to system resources that should be off-limits.<\/p>\n<h2 class=\"wp-block-heading\">Urgent need to update<\/h2>\n<p>Both issues have been patched, and enterprises running n8n should ensure they are on updated versions. Until patches are applied, organizations are recommended to carefully review who has permissions to create or edit workflows, particularly in environments where n8n has access to internal networks, secrets, or privileged APIs.<\/p>\n<p>CVE-2026-1470 has been <a href=\"https:\/\/github.com\/n8n-io\/n8n\/releases\" target=\"_blank\" rel=\"noopener\">fixed<\/a> in version 1.123.17, 2.4.5, and 2.5.1, while CVE-2026-0863 is resolved in version 1.123.14, 2.3.5, and 2.4.2. Upgrading to any of these versions mitigates the risk of exploitation, researchers noted.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Two critical sandbox escape flaws in the popular n8n workflow automation platform are allowing authenticated users to achieve remote code execution on affected instances. According to new JFrog findings, sandboxing safeguards meant to contain untrusted workflow logic can be bypassed, exposing enterprise automation environments to full host compromise. Enterprises that rely on n8n to orchestrate [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6763,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6762","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6762"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6762"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6762\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6763"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6762"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6762"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6762"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}