Critical n8n Flaws Enable Remote Code Execution and Credential Theft
These articles are AI-generated summaries. Please check the original sources for full details.
Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials
Researchers at Pillar Security disclosed four critical vulnerabilities in the n8n workflow automation platform including CVE-2026-27493 and CVE-2026-27577. These flaws allow unauthenticated attackers to execute arbitrary shell commands via public Form nodes by providing a payload in input fields.
Why This Matters
The technical reality of workflow automation platforms like n8n involves handling sensitive secrets like AWS keys and OAuth tokens within a flexible execution environment. When sandbox isolation fails—such as the AST rewriter missing cases in the expression compiler—the entire security model collapses, allowing attackers to access the N8N_ENCRYPTION_KEY and decrypt every stored credential in the database.
Key Insights
- CVE-2026-27493 (CVSS 9.5) allows unauthenticated expression evaluation through public n8n Form nodes, enabling RCE when chained with sandbox escapes (Pillar Security, 2026).
- CVE-2026-27577 (CVSS 9.4) involves a missing case in the AST rewriter that allows the ‘process’ object to slip through untransformed during expression compilation.
- CVE-2026-27495 (CVSS 9.4) enables code injection in the JavaScript Task Runner sandbox, allowing authenticated users to execute code outside the sandbox boundary.
- CVE-2026-27497 (CVSS 9.4) exploits the Merge node’s SQL query mode to execute arbitrary code and write files on the server (n8n Advisory, 2026).
- Exploitation of these flaws allows attackers to read the N8N_ENCRYPTION_KEY environment variable to decrypt all stored database credentials including database passwords and API keys.
Practical Applications
- System hardening: Users must immediately upgrade to n8n versions 2.10.1, 2.9.3, or 1.123.22 to patch these critical RCE vulnerabilities.
- Component isolation: Disable vulnerable components by adding n8n-nodes-base.form and n8n-nodes-base.merge to the NODES_EXCLUDE environment variable as a short-term mitigation.
- Blast radius reduction: Configure n8n with N8N_RUNNERS_MODE=external to limit the impact of JavaScript Task Runner sandbox escapes.
- Permission enforcement: Limit workflow creation and editing permissions strictly to trusted users to prevent authenticated exploitation of code injection vectors.
References:
Continue reading
Next article
SAP, Microsoft, and Adobe Patch Dozens of Critical Security Flaws
Related Content
cPanel and WHM Patch Critical Vulnerabilities to Prevent RCE and Privilege Escalation
cPanel and WHM released patches for three vulnerabilities, including two CVSS 8.8 flaws, to prevent arbitrary code execution and privilege escalation.
New Fluent Bit Flaws Expose Cloud to RCE and Stealthy Infrastructure Intrusions
Five critical vulnerabilities in Fluent Bit, used in billions of containers, enable remote code execution and cloud infrastructure takeovers.
FreePBX Vulnerabilities Allow RCE via SQL Injection, File Upload, and Auth Bypass
FreePBX patched 2025 flaws allowing SQL injection, file upload attacks, and an auth bypass, potentially leading to remote code execution.