Researchers disclosed two now-patched critical vulnerabilities in the n8n workflow automation platform that could allow arbitrary command execution, including a sandbox escape in the expression compiler and an unauthenticated expression evaluation in Form nodes. n8n released fixes in versions 2.10.1, 2.9.3, and 1.123.22 and recommends restricting workflow permissions, disabling affected nodes, or using hardened deployments as temporary mitigations. #CVE-2026-27577 #CVE-2026-27493
Keypoints
- Two critical bugs—CVE-2026-27577 (sandbox escape leading to RCE) and CVE-2026-27493 (unauthenticated expression evaluation via Form nodes)—were disclosed and patched.
- CVE-2026-27493 can be exploited without authentication by submitting crafted input to public Form endpoints, such as a “Contact Us” Name field.
- Chaining the form injection with the sandbox escape can escalate to full remote code execution and exposure of the N8N_ENCRYPTION_KEY to decrypt stored credentials.
- n8n fixed these issues in releases 2.10.1, 2.9.3, and 1.123.22 and also addressed related critical flaws CVE-2026-27495 and CVE-2026-27497.
- Until patching, recommended mitigations include limiting workflow creation/editing to trusted users, disabling Form/FormTrigger/Merge nodes via NODES_EXCLUDE, or using external runner mode and hardened deployments.
Read More: https://thehackernews.com/2026/03/critical-n8n-flaws-allow-remote-code.html