Description
n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Published: 2026-02-25
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

n8n is an open‑source workflow automation platform that evaluates expressions supplied by users to generate dynamic workflow values. Prior to v2.10.1, v2.9.3 and v1.123.22, the expression sandbox did not properly escape or isolate certain commands. As a result, an authenticated user possessing the ability to create or modify workflows can craft a malicious expression in a workflow parameter that causes the n8n process to execute arbitrary system commands on the host machine. This flaw is classified as a code injection vulnerability (CWE‑94) and allows an attacker to run commands with the privileges of the n8n process.

Affected Systems

The affected product is n8n, developed by n8n‑io. All releases older than 2.10.1, 2.9.3 and 1.123.22 are vulnerable. These versions run on multiple operating systems, so any deployment of the unpatched n8n instance is susceptible.

Risk and Exploitability

The CVSS v3 score of 9.4 indicates a high severity when authenticated. The EPSS score is below 1 % and the issue is not currently listed in CISA KEV, suggesting a low immediate exploitation probability. An attacker must first obtain a user account with workflow creation or editing rights, typically via the web interface or API, to supply a malicious expression. Once the expression is executed, it runs as a system process, giving an attacker the same privileges as the n8n service. While the current exploitation likelihood is low, the potential impact is significant.

Generated by OpenCVE AI on April 18, 2026 at 10:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 2.10.1, 2.9.3, or 1.123.22 or later to obtain the vendor patch.
  • Limit workflow creation and editing permissions to fully trusted users only, ensuring that only privileged accounts can modify expressions.
  • Deploy n8n in a hardened environment with restricted operating‑system privileges and network isolation to reduce the potential impact of any future exploitation.

Generated by OpenCVE AI on April 18, 2026 at 10:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vpcf-gvg4-6qwr n8n: Expression Sandbox Escape Leads to RCE
History

Wed, 04 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 04 Mar 2026 03:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 25 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Title n8n: Expression Sandbox Escape Leads to RCE
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:14:30.327Z

Reserved: 2026-02-20T17:40:28.449Z

Link: CVE-2026-27577

cve-icon Vulnrichment

Updated: 2026-02-26T20:14:23.788Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T23:16:21.387

Modified: 2026-03-04T14:00:14.260

Link: CVE-2026-27577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses