"CVE-2026-27577 is a sandbox escape in the expression compiler: a missing case in the AST rewriter lets process slip through untransformed, giving any authenticated expression full RCE. The cybersecurity company described CVE-2026-27493 as a double-evaluation bug in n8n's Form nodes that could be abused for expression injection by taking advantage of the fact that the form endpoints are public by design and require neither authentication nor an n8n account."
"All it takes for successful exploitation is to leverage a public Contact Us form to execute arbitrary shell commands by simply providing a payload as input into the Name field. N8n also noted that CVE-2026-27493, when chained with an expression sandbox escape like CVE-2026-27577, could escalate to remote code execution on the n8n host."
"CVE-2026-27577 could be weaponized by an authenticated user with permission to create or modify workflows to trigger unintended system command execution on the host running n8n via crafted expressions in workflow parameters. Both vulnerabilities affect the self-hosted and cloud deployments of n8n across versions < 1.123.22, >= 2.0.0 < 2.9.3, and >= 2.10.0 < 2.10.1."
Cybersecurity researchers disclosed two critical security flaws in n8n workflow automation platform. CVE-2026-27577 (CVSS 9.4) is a sandbox escape in the expression compiler allowing authenticated users to execute remote code through crafted expressions. CVE-2026-27493 (CVSS 9.5) is a double-evaluation bug in Form nodes enabling unauthenticated expression injection via public forms without requiring authentication. Both vulnerabilities affect self-hosted and cloud deployments across multiple versions. When chained together, they escalate to remote code execution on the n8n host. Patches are available in versions 2.10.1, 2.9.3, and 1.123.22. Users unable to patch immediately should restrict workflow creation and editing permissions.
#n8n-vulnerabilities #remote-code-execution #sandbox-escape #workflow-automation-security #critical-patches
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]