High-Severity n8n Vulnerability Allows Authenticated Users to Escape Python Sandbox and Execute Arbitrary Code

CyberDefender 8 mins0

CVE-2026-0863 is a high-severity sandbox escape vulnerability affecting the Python execution environment in n8n, an open-source workflow automation platform. The issue allows an authenticated but low-privileged user to escape the intended Python sandbox and execute arbitrary system-level commands.

The vulnerability fundamentally breaks the trust boundary between workflow logic and the host execution environment, turning a legitimate automation feature into a potential remote code execution vector.

Affected Component

  • n8n Python Code execution feature
  • Specifically, the Python sandbox used by Code nodes
  • Affects deployments where Python execution is enabled (internal or external execution mode)

Root Cause Analysis

The vulnerability is caused by insufficient sandbox hardening in the Python execution environment.

Key technical issues include:

  1. Improper restriction of Python built-ins
    • Certain dangerous built-ins and object attributes remain indirectly accessible
    • Examples include introspection paths through exception handling and string formatting
  2. Abuse of Python object model
    • Python allows traversal of internal object attributes such as:
      • __class__
      • __mro__
      • __subclasses__
    • These can be chained to locate powerful classes like file handlers or process execution primitives
  3. Sandbox trust in user-controlled code
    • The sandbox assumes users will not intentionally attempt object graph traversal
    • No effective runtime enforcement prevents escaping into unrestricted Python runtime
  4. Lack of syscall-level isolation in internal mode
    • When running in internal execution mode, escaped code executes directly on the host OS

In short:
The sandbox is logical, not enforceable, and Python’s reflective nature allows it to be bypassed.

Attack Prerequisites

  • Valid authentication to the n8n instance
  • Ability to create or modify workflows
  • Access to a Python Code node
  • No administrator privileges required

This makes the vulnerability especially dangerous in multi-user environments.

Attack Flow (High Level)

  1. Attacker logs into n8n with a normal user account
  2. Creates or edits a workflow containing a Python Code node
  3. Crafts Python code that abuses object introspection
  4. Escapes the sandbox into unrestricted Python execution
  5. Executes system commands or reads sensitive files
  6. Gains persistence or pivots further into the environment

Impact

Internal Execution Mode

  • Full host compromise
  • Arbitrary OS command execution
  • Access to environment variables, credentials, and filesystem
  • Potential lateral movement within the network

External / Containerized Execution

  • Arbitrary code execution inside the execution container
  • Container escape possible depending on Docker configuration
  • Data exfiltration and workflow manipulation still possible

Proof-of-Concept (Educational Explanation Only)

This section is conceptual and non-weaponized.
No exploit code is provided.

The exploitation relies on chaining Python objects to regain access to restricted functionality:

  • Start from a harmless object (e.g., string or exception)
  • Traverse its class hierarchy
  • Enumerate subclasses to locate sensitive classes
  • Invoke file I/O or process execution indirectly

This technique is well-known in Python sandbox bypass research and demonstrates why Python is extremely difficult to sandbox safely.

Indicators of Compromise (IoCs)

Application-Level Indicators

  • Python Code nodes containing:
    • Excessive use of __ (dunder methods)
    • Exception manipulation
    • Unexpected string formatting logic
  • Workflows modified by non-admin users that suddenly perform system-level actions

System-Level Indicators

  • Unexpected child processes spawned by n8n
  • Shell utilities executed by the n8n runtime user
  • New files written outside normal workflow directories
  • Outbound network connections initiated by n8n

Detection Strategies

1. Log-Based Detection

Monitor n8n logs for:

  • Python execution errors followed by successful workflow runs
  • Abnormal execution times in Code nodes
  • Repeated workflow edits by the same user

2. Behavioral Detection (Host)

Create alerts for:

  • n8n spawning shells or system utilities
  • n8n accessing sensitive paths such as:
    • /etc/
    • /proc/
    • SSH keys
    • Cloud credential files

3. Workflow Integrity Monitoring

  • Track changes to workflows containing Python Code nodes
  • Alert when non-admin users modify Python logic
  • Version-diff workflows automatically

Example Detection Rules (Technical)

Process Execution Detection (Generic)

IF parent_process == n8n
AND child_process IN (sh, bash, python, curl, wget)
THEN alert

File Access Monitoring

IF process == n8n
AND file_path MATCHES (/etc/* OR ~/.ssh/* OR /root/*)
THEN alert

Workflow Content Heuristic

Flag workflows containing:

  • Multiple __ attribute references
  • Dynamic attribute access patterns
  • Unusual exception handling blocks

Mitigation and Hardening

Immediate Actions

  • Disable Python Code nodes if not strictly required
  • Restrict workflow creation permissions
  • Separate trusted and untrusted users

Long-Term Security Controls

  • Run n8n only in hardened container environments
  • Use strict AppArmor / SELinux profiles
  • Apply network egress restrictions
  • Treat workflow logic as untrusted code

Patch / Upgrade

Upgrade to the fixed version of n8n where the Python sandbox restrictions have been strengthened:

Official upgrade and release notes:
https://docs.n8n.io/release-notes/

Final Assessment

CVE-2026-0863 highlights a critical truth:

Python cannot be safely sandboxed using logic alone.

Any platform allowing user-supplied Python code must assume host compromise unless strong OS-level isolation is enforced

CyberDefender