"Tracked as CVE-2026-27493 (CVSS score of 9.5), the first bug is described as a second-order expression injection issue impacting the open source workflow automation platform's Form nodes. Successful exploitation could have allowed an unauthenticated attacker to inject arbitrary commands into a Name field and receive the output of the executed command."
"The vulnerability, Pillar explains, could be chained with the second critical flaw, tracked as CVE-2026-27577 (CVSS score of 9.4), to escape the n8n sandbox and execute commands on the host. According to the security team, the flaw allowed for a malicious payload to bypass sandbox protections and be executed because the vulnerable node operates at the compilation stage, before the runtime sanitizers."
"n8n is a credential vault by function. It stores keys to every system it connects to. A single sandbox escape exposes the n8n instance and every connected system. According to Pillar, the two vulnerabilities impacted both self-hosted and cloud deployments and could be exploited to extract all credentials from the n8n database, including AWS keys, passwords, OAuth tokens, and API keys."
Two critical-severity vulnerabilities were discovered in n8n, an open source workflow automation platform. CVE-2026-27493 (CVSS 9.5) involved a second-order expression injection in Form nodes that allowed unauthenticated attackers to inject arbitrary commands through the Name field. CVE-2026-27577 (CVSS 9.4) enabled sandbox escape by bypassing protections at the compilation stage before runtime sanitizers. These flaws could be chained together to execute commands on the host system. Both vulnerabilities affected self-hosted and cloud deployments and could expose all credentials stored in the n8n database, including AWS keys, passwords, OAuth tokens, and API keys. Patches were released in late February in versions 2.10.1, 2.9.3, and 1.123.22, removing the second expression evaluation pass, blocking certain parameters, and hardening sandbox protections.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]