Cybersecurity researchers have uncovered two new security flaws in the n8n workflow automation platform, including a critical vulnerability that could allow remote code execution.
The vulnerabilities discovered by the JFrog Security Research team are as follows:
CVE-2026-1470 (CVSS Score: 9.9) – eval injection vulnerability that allows an authenticated user to bypass the Expression sandbox mechanism and achieve full remote code execution on n8n’s main node by passing specially crafted JavaScript code CVE-2026-0863 (CVSS Score: 8.5) – An authenticated user may be able to bypass the Expression sandbox mechanism and achieve full remote code execution on the main node of n8n eval injection vulnerability that could potentially bypass mechanisms in the python-task-executor sandbox and execute arbitrary Python code on the underlying operating system
Successful exploitation of this flaw could allow an attacker to hijack an entire n8n instance, including scenarios running in “internal” execution mode. n8n states in its documentation that using internal mode in production environments can pose a security risk, and urges users to switch to external mode to ensure proper isolation between n8n and the task runner process.
“n8n unlocks core tools, capabilities, and data from infrastructure including LLM APIs, sales data, internal IAM systems, and more to automate AI workflows across the organization,” JFrog said in a statement shared with The Hacker News. “As a result, you are denying hackers a valid ‘skeleton key’ to your entire enterprise. ”
To address this flaw, users are advised to update to the following versions:
CVE-2026-1470 – 1.123.17, 2.4.5, or 2.5.1 CVE-2026-0863 – 1.123.14, 2.3.5, or 2.4.2
This development comes just weeks after Cyera Research Labs detailed a maximum severity security flaw in n8n (CVE-2026-21858 aka Ni8mare) that allows an unauthenticated, remote attacker to gain complete control of a vulnerable instance.
“These vulnerabilities highlight how difficult it is to securely sandbox dynamic high-level languages such as JavaScript and Python,” said researcher Nathan Nehorai. “Even when multiple validation layers, deny lists, and AST-based controls are in place, subtle language features and runtime behaviors can be leveraged to circumvent security assumptions.”
“In this case, deprecated or rarely used constructs, combined with changes to the interpreter and exception handling behavior, were sufficient to break through the restrictive sandbox and execute code remotely.”
Source link
