Automation at Risk: Triple 9.4 Severity RCE Flaws Threaten n8n Workflow Servers
Do Son 
n8n is a popular workflow automation platform that gives technical teams the flexibility of code with the speed of no-code. With 400+ integrations, native AI capabilities, and a fair-code license, n8n lets you build powerful automations while maintaining full control over your data and deployments.
However, security teams managing n8n deployments need to be on high alert this week. Three critical vulnerabilities—each carrying a severe CVSSv4 score of 9.4—have been disclosed, potentially allowing malicious actors to completely compromise affected servers.
All three flaws require the attacker to be an authenticated user with permission to create or modify workflows. If those conditions are met, the impacts are devastating:
- CVE-2026-27497 (CVSSv4 9.4) – Remote Code Execution via Merge Node: An attacker could leverage the Merge node’s SQL query mode to execute arbitrary code and write arbitrary files directly on the n8n server.
- CVE-2026-27577 (CVSSv4 9.4) – Expression Sandbox Escape Leading to RCE: Following the patching of a previous flaw (CVE-2025-68613), additional exploits in the expression evaluation of n8n have been identified. An attacker could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.
- CVE-2026-27495 (CVSSv4 9.4) – Sandbox Escape in JavaScript Task Runner: This vulnerability exists in the JavaScript Task Runner sandbox and allows an attacker to execute arbitrary code outside the sandbox boundary. On instances using internal Task Runners (which is the default runner mode), this could result in full compromise of the n8n host. On instances using external Task Runners, the attacker might gain access to or impact other tasks executed on the Task Runner. Note that this is only exploitable if Task Runners are enabled using N8N_RUNNERS_ENABLED=true.
The n8n team has successfully addressed these issues. Users should upgrade to one of the following versions or later to remediate all known vulnerabilities:
- 2.10.1
- 2.9.3
- 1.123.22
If upgrading is not immediately possible, administrators should consider several temporary mitigations, though it is heavily emphasized that these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures:
- Limit workflow creation and editing permissions to fully trusted users only.
- For CVE-2026-27497: Disable the Merge node by adding n8n-nodes-base.merge to the NODES_EXCLUDE environment variable.
- For CVE-2026-27577: Deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation.
- For CVE-2026-27495: Use external runner mode (N8N_RUNNERS_MODE=external) to limit the blast radius.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
