BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

n8n Flaws Let Authenticated Users Achieve Remote RCE Exposed

High-severity sandbox-escape vulnerabilities in n8n (CVE-2026-1470, CVE-2026-0863) allow authenticated RCE via JavaScript and Python; upgrade to patched releases and avoid internal task execution.

  • n8n contains two Sandbox-escape flaws that can lead to remote code execution for authenticated users.
  • One issue, CVE-2026-1470, scores 9.9 and targets the JavaScript Expression sandbox.
  • CVE-2026-0863 scores 8.5 and bypasses the python-task-executor sandbox to run Python code.
  • Users should upgrade to patched releases listed by the vendor and avoid running in internal task-execution mode; guidance is in the Hosting/configuration/task-runners/”>task runners documentation.

JFrog Security researchers disclosed two new vulnerabilities in the n8n workflow automation platform on Jan. 28, 2026, that allow authenticated users to escape sandboxing and execute code on host systems, including in some internal execution setups. The issues were reported with high severity and detailed in a technical write-up by JFrog Security Research.

- Advertisement -

The first flaw, CVE-2026-1470, is an eval injection in the JavaScript Expression sandbox with a CVSS score of 9.9. An authenticated attacker can submit crafted JavaScript that bypasses the Expression sandbox mechanism and achieve remote code execution on the main n8n node.

The second flaw, CVE-2026-0863, is an eval injection against the python-task-executor sandbox with a CVSS score of 8.5. This vulnerability can let an authenticated user run arbitrary Python on the underlying operating system.

“As n8n spans an entire organization to automate AI workflows, it holds the keys to core tools, functions, and data from infrastructure, including LLM APIs, sales data, and internal IAM systems, among others,” JFrog wrote in its disclosure. The vendor warned that sandbox escapes can effectively give an attacker broad access.

Patches are available; affected users are advised to upgrade to the fixed releases. For CVE-2026-1470 install 1.123.17, 2.4.5, or 2.5.1. For CVE-2026-0863 install 1.123.14, 2.3.5, or 2.4.2.

- Advertisement -

“These vulnerabilities highlight how difficult it is to safely sandbox dynamic, high‑level languages such as JavaScript and Python,” said researcher Nathan Nehorai. “In this case, deprecated or rarely used constructs, combined with interpreter changes and exception handling behavior, were enough to break out of otherwise restrictive sandboxes and achieve remote code execution.”

The disclosure follows another maximum-severity n8n flaw (CVE-2026-21858, “Ni8mare”) reported weeks earlier. Users should review task-runner configuration and apply updates promptly; n8n documentation recommends using external execution mode for production.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

WordPress core hit by zero-click RCE bug, patch now live

WordPress patched a pre-authentication remote code execution flaw in versions 6.9.5 and 7.0.2 on...

ECB: Stablecoin growth puts European bank deposits at risk

ECB board member Piero Cipollone warned Friday that stablecoin growth could strip European banks...

Tesla Launches Megacharger Network with Bloomington Station

Tesla opened a new public Megacharger station in Bloomington, California, calling it the start...

Apple Overtakes Nvidia as World’s Most Valuable Public Company

Apple briefly surpassed NVIDIA as the world’s most valuable publicly traded company, hitting an...

Galaxy Digital buys naming rights to Texas Tech stadium in 15-year deal

Galaxy Digital signed a 15-year naming rights deal with Texas Tech, renaming the football...

Must Read

9 DePIN Programs For Passive Income

Here’s something most people don’t realize: your smartphone and PC can generate passive income with almost no effort.I’m not talking about clicking ads for...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading