RESEARCHERS at Pillar Security have identified two new critical vulnerabilities in self-hosted and cloud n8n deployments, including a zero-click unauthenticated flaw and a sandbox-escape issue. The zero-click flaw is tracked as CVE-2026-27493 and carries a CVSS v4.0 rating of 9.5, allowing an attacker to run arbitrary shell commands without authentication through a public form endpoint.
A separate sandbox-escape vulnerability, CVE-2026-27577, was reported as having a CVSS score of 9.4 and can let an authenticated attacker achieve full remote code execution. Pillar Security warned that because n8n acts as a credential vault, a single sandbox escape could expose credentials across connected systems, and cross-tenant risk is possible on multi-tenant deployments.
In December 2025, Pillar Security reported the initial flaws, prompting n8n to issue a patch, followed by nine further fixes in early 2026; users are advised to update to versions 2.10.1, 2.9.3 or 1.123.22 and rotate all stored credentials if a vulnerable workflow is present, as the N8N_ENCRYPTION_KEY could be exposed. According to Pillar Security, the double-evaluation bug in Form nodes enables the exposure of sensitive data and complete takeover of affected instances.