CYBERSECURITY researchers disclosed two patched flaws in the n8n workflow automation platform that could allow remote code execution and exposure of stored credentials.
CVE-2026-27577 is a sandbox-escape in the expression compiler that, due to a missing case in the AST rewriter, could let an authenticated user execute arbitrary commands on the host via crafted expressions in workflow parameters; CVE-2026-27493 is an unauthenticated expression evaluation vulnerability in n8n’s Form nodes that can be exploited by sending a payload through a public “Contact Us” form to run arbitrary shell commands.
The flaws could be chained to escalate to remote code execution on the host, with fixed versions including 2.10.1, 2.9.3 and 1.123.22 for CVE-27577 and CVE-27493 addressed in those releases; n8n notes these affect self-hosted and cloud deployments. Pillar Security warned that exploitation could read the N8N_ENCRYPTION_KEY and decrypt every credential stored in the database.
In addition, two further critical vulnerabilities—CVE-2026-27495 and CVE-2026-27497—could enable code execution via the JavaScript Task Runner sandbox and via the Merge node’s SQL mode, with mitigations such as external runner mode and excluding the Merge node recommended as short-term measures.