Multiple n8n Vulnerabilities Enable RCE, Sandbox Escapes, and Stored XSS
Security researchers and CVE disclosures reported multiple vulnerabilities in the n8n workflow automation platform that can enable remote code execution (RCE), sandbox escapes, and stored XSS under various conditions. Akamai highlighted exploitation interest from Zerobot targeting n8n via CVE-2025-68613, a critical expression-evaluation sandboxing failure affecting versions 0.211.0 through 1.20.4 (and 1.21.1/1.22.0), where a logged-in (non-admin) user could break out of the expression context to execute arbitrary code, read/write server files, steal environment variables (e.g., API keys), and establish persistence; a public PoC was noted as available.
Subsequent advisories describe additional n8n flaws patched after the earlier expression-sandbox issue, generally requiring an authenticated user who can create/modify workflows, except where noted. CVE-2026-27577 covers further expression-evaluation abuse leading to host command execution; CVE-2026-27495 describes a JavaScript Task Runner sandbox escape that can lead to full host compromise when internal runners are used (enabled via N8N_RUNNERS_ENABLED=true), with external runner mode (N8N_RUNNERS_MODE=external) reducing blast radius; CVE-2026-27497 describes potential RCE and arbitrary file write via the Merge node in SQL query mode; and CVE-2026-27578 describes stored XSS across multiple nodes (e.g., Webhook/Form/Chat-related nodes) enabling session hijacking/account takeover when victims view affected pages. CVE-2026-27493 adds a second-order, potentially unauthenticated expression injection path via Form nodes (triggered by crafted input beginning with = under specific workflow configurations) that can escalate to RCE only when chained with a separate sandbox escape. Fixes are reported in n8n 2.10.1 (and, depending on branch, 2.9.3 / 1.123.22), with interim mitigations including restricting workflow edit permissions and disabling specific nodes via NODES_EXCLUDE (e.g., n8n-nodes-base.webhook, n8n-nodes-base.merge, n8n-nodes-base.form, n8n-nodes-base.formTrigger).
Timeline
Mar 25, 2026
n8n fixes CVE-2026-33660 Merge node AlaSQL RCE flaw
n8n fixed CVE-2026-33660, a vulnerability in the Merge node's 'Combine by SQL' mode that let authenticated users with workflow creation or modification rights read local files and potentially achieve remote code execution. The flaw affected versions prior to 2.14.1, 2.13.3, and 1.123.26, and n8n advised immediate upgrades and temporary mitigations such as restricting workflow editing and disabling the Merge node.
Mar 25, 2026
n8n fixes CVE-2026-33696 prototype pollution RCE flaw
n8n fixed CVE-2026-33696, a prototype pollution vulnerability in the XML and GSuiteAdmin nodes that could let authenticated users with workflow creation or modification rights achieve remote code execution. The issue affected versions prior to 2.14.1, 2.13.3, and 1.123.27, and n8n advised immediate upgrades plus temporary mitigations such as restricting workflow editing and disabling the XML node.
Feb 27, 2026
Akamai reports Zerobot targeting n8n via CVE-2025-68613
Akamai published research stating that Zerobot malware was targeting the n8n automation platform through CVE-2025-68613. The report highlighted active attacker interest in the flaw and reiterated the severe impact of compromise on n8n instances.
Feb 27, 2026
Public PoC becomes available for CVE-2025-68613
By late February 2026, a public proof-of-concept exploit was available for CVE-2025-68613, lowering the barrier to exploitation of the n8n expression-evaluation RCE flaw. Akamai described the issue as easy to exploit and high impact because it could expose files, environment variables, and integrated services.
Feb 25, 2026
n8n patches multiple additional vulnerabilities across workflow components
n8n released fixes for several newly disclosed vulnerabilities affecting versions prior to 2.10.1, 2.9.3, and 1.123.22, including expression sandbox escapes, Merge node RCE, JavaScript Task Runner sandbox escape, Form node expression injection, and stored XSS in multiple nodes. The fixes were made available in versions 2.10.1, 2.9.3, and 1.123.22, with guidance to upgrade and apply temporary mitigations if immediate patching was not possible.
Jan 8, 2026
n8n publishes security advisory for versions 1.65-1.120.4
n8n published a security advisory covering vulnerabilities affecting versions 1.65 through 1.120.4. The advisory represents a separate disclosure from the earlier CVE-2025-68613 sandbox-escape issue and the later February 2026 multi-vulnerability patch release.
Dec 15, 2025
n8n discloses critical RCE flaw CVE-2025-68613
In mid-December 2025, n8n disclosed CVE-2025-68613, a critical remote code execution vulnerability in workflow expression evaluation caused by insufficient sandboxing. The flaw allowed a standard authenticated user to escape the expression sandbox and execute arbitrary code on the n8n server.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
5 more from sources like cvefeed high severity and blog.n8n.io
Related Stories
Critical n8n Vulnerabilities Enabling RCE and Sandbox Escapes
Government cyber agencies in Belgium and Canada warned that **n8n** released security updates to address multiple **critical vulnerabilities** that could allow attackers to compromise workflow automation instances, particularly those exposed to the internet. The advisories emphasize that n8n often orchestrates actions across interconnected systems, increasing blast radius if compromised, and urge administrators to **patch immediately** to protect confidentiality, integrity, and availability. The Belgian CCB advisory highlights three critical CVEs—**CVE-2026-27495**, **CVE-2026-27577**, and **CVE-2026-27497** (each scored **CVSS 9.4**) affecting n8n versions prior to **2.10.1 / 2.9.3 / 1.123.22**, including issues mapped to **CWE-94 (code injection)** and **CWE-89 (SQL injection)**. It describes **sandbox escape leading to arbitrary code execution** in the JavaScript Task Runner (notably impacting the default internal Task Runner mode) and abuse of crafted workflow expressions by authenticated users with workflow modification permissions; Canada’s Cyber Centre advisory (AV26-176) additionally enumerates impacted components and attack classes including **RCE via Merge Node**, **expression sandbox escape to RCE**, **JavaScript Task Runner sandbox escape**, **unauthenticated expression evaluation via Form Node**, and **stored XSS across multiple nodes**, directing organizations to apply n8n’s upstream fixes.
Yesterday
Critical n8n Expression Sandbox Escape Leading to Authenticated RCE (CVE-2026-25049)
A **critical remote code execution** issue in the *n8n* open-source workflow automation platform, tracked as **CVE-2026-25049** (also published as **GHSA-6cqr-8cfr-67f8**), allows an **authenticated** user with permission to create or modify workflows to escape n8n’s expression sandbox and execute arbitrary system commands on the underlying host. The flaw stems from **insufficient input sanitization/weak sandboxing** in n8n’s expression evaluation (server-side JavaScript) and was identified during follow-up analysis after an earlier critical n8n vulnerability (**CVE-2025-68613**) was patched; researchers report the new issue effectively **bypasses prior mitigations**. Reporting indicates exploitation can lead to **full compromise** of the n8n instance, including access to the filesystem and the ability to **steal stored credentials and secrets** (e.g., API keys, OAuth tokens) and sensitive configuration, with potential for **pivoting** into connected internal services and cloud accounts in multi-tenant deployments. Public reporting also notes **public exploits** are available. n8n maintainers state the issue is patched, and affected organizations should upgrade to fixed releases (**1.123.17** and **2.5.2**), as versions **prior to 1.123.17 and 2.5.2** are impacted.
1 months ago
Authenticated Sandbox-Escape RCE Vulnerabilities in n8n Workflow Automation
JFrog researchers disclosed two vulnerabilities in the *n8n* workflow automation platform that allow an **authenticated** attacker to escape built-in sandboxes and achieve **remote code execution (RCE)** on the main n8n node, potentially leading to full instance compromise and access to sensitive connected systems (e.g., APIs, credentials, and internal tooling). The issues are tracked as **CVE-2026-1470** (CVSS **9.9**) and **CVE-2026-0863** (CVSS **8.5**); exploitation is possible even in configurations where n8n runs in “internal” execution mode, which n8n documentation already warns is risky for production due to weaker isolation between the application and task runner processes. Technical details indicate both flaws are sandbox escapes driven by language/runtime edge cases: **CVE-2026-1470** abuses JavaScript expression sandboxing (including `with`-statement handling) to resolve a constructor path to `Function` and execute arbitrary JavaScript, while **CVE-2026-0863** escapes the Python task executor sandbox via Python introspection and runtime behavior (notably Python 3.10+ `AttributeError.obj`) to regain access to restricted builtins/imports and execute OS commands. Recommended remediation is to upgrade n8n to fixed versions (for **CVE-2026-1470**: `1.123.17`, `2.4.5`, or `2.5.1`; for **CVE-2026-0863**: `1.123.14`, `2.3.5`, or `2.4.2`).
1 months ago