A critical sandbox escape vulnerability in the n8n AI workflow automation platform could allow attackers to execute arbitrary commands on the server, according to Pillar Security. Tracked as CVE-2026-25049, the issue affects how the n8n sandbox sanitises JavaScript expressions, with a CVSS score of 9.4. Pillar found that the sandbox could be bypassed using template literals, arrow functions and certain stack frame objects to return real global objects, enabling command execution and ultimately server compromise.
The attack could grant access to environment variables, stored credentials, API and cloud keys, OAuth tokens and configuration files, allowing attackers to hijack AI pipelines and access internal services on n8n cloud instances. n8n released a fix in version 2.4.0, and users were advised to update as soon as possible; Pillar noted that initial patches could be bypassed, prompting the update.