Security researchers have disclosed multiple now-patched vulnerabilities in the n8n workflow automation platform, including critical flaws allowing remote code execution and credential exposure. Two high-severity issues, CVE-2026-27577 and CVE-2026-27493, received CVSS scores of 9.4 and 9.5 respectively. The first vulnerability involves a sandbox escape in the expression compiler enabling authenticated users with workflow permissions to execute arbitrary system commands. The second represents a double-evaluation bug in Form nodes that allows unauthenticated attackers to inject malicious expressions through public forms.
These vulnerabilities affect both self-hosted and cloud deployments across multiple version branches, with fixes implemented in versions 2.10.1, 2.9.3, and 1.123.22. When chained together, an attacker could exploit these flaws to read the N8N_ENCRYPTION_KEY environment variable and decrypt every credential stored in n8n's database, including AWS keys, database passwords, OAuth tokens, and API keys. Two additional critical vulnerabilities were also patched: CVE-2026-27495 involving JavaScript Task Runner sandbox escape, and CVE-2026-27497 enabling arbitrary code execution through the Merge node's SQL query mode.
For organizations unable to patch immediately, n8n recommends restricting workflow creation permissions to trusted users, deploying in hardened environments, and disabling vulnerable nodes through environment variables. The maintainers caution that these workarounds serve only as short-term mitigations and do not fully remediate the risks. While no active exploitation has been reported, users are strongly advised to update their installations promptly. The vulnerabilities underscore the importance of securing workflow automation platforms that handle sensitive credentials and system-level operations.
Read more...