[Security Vulnerability Alert] n8n has 4 major security vulnerabilities.

 
2026/3/10 ~ 2026/9/10
View Count:23

Forwarded from Taiwan Computer Network Crisis Management and Coordination Center: Cybersecurity Alert TWCERTCC-200-202602-00000016

n8n is an open-source workflow automation tool that connects various applications through a visual drag-and-drop interface, automating repetitive tasks without requiring code. Recently, n8n released a major cybersecurity advisory.

【CVE-2026-27495, CVSS: 9.4】 This vulnerability allows an authenticated attacker with or modified workflow permissions to exploit a vulnerability in the JavaScript task execution sandbox to execute arbitrary code outside the boundary.

【CVE-2026-27493, CVSS: 9.5】 This is a two-phase injection vulnerability. An unauthenticated attacker can inject and execute arbitrary n8n expressions through carefully crafted form data. If used in conjunction with the expression sandbox escape mechanism, it could lead to remote code execution on the n8n host.

【CVE-2026-27577, CVSS: 9.4】This vulnerability allows an authenticated attacker with permissions to create or modify workflows to trigger unauthorized system commands on an n8n host using specially crafted workflow parameter expressions.

【CVE-2026-27498, CVSS: 9.0】This vulnerability allows an authenticated attacker with permissions to create or modify workflows to link to "read/write files from disk" nodes using git operations, resulting in remote code execution.

[Affected Platforms]
【CVE-2026-27495, CVE-2026-27493, CVE-2026-27577】 n8n versions prior to 1.123.22 (excluding 1.123.22), n8n versions prior to 2.0.0 to 2.9.3 (excluding 2.9.3), n8n versions prior to 2.10.0 to 2.10.1 (excluding 2.10.1)

【CVE-2026-27498】 n8n versions prior to 1.123.8 (excluding 1.123.8), n8n versions prior to 2.2.0 (excluding 2.2.0)

[Recommended Actions]
【CVE-2026-27495, CVE-2026-27493, CVE-2026-27577】Please update to the following versions: n8n 1.123.22 (inclusive) and later, n8n... Versions 2.9.3 and later, and n8n versions 2.10.1 and later.

【CVE-2026-27498】Please update to the following versions: n8n version 1.123.8 and later, and n8n version 2.2.0 and later.

[Reference]
1. https://www.twcert.org.tw/tw/cp-169-10739-e7e58-1.html

Files
system_update_alt參考資料
【Back】
Top↑