Plattform
nodejs
Komponente
n8n
Behoben in
1.123.23
2.0.1
2.10.1
1.123.22
CVE-2026-27493 describes a critical second-order expression injection vulnerability discovered in n8n, a workflow automation platform. This flaw allows an unauthenticated attacker to inject and evaluate arbitrary n8n expressions, potentially escalating to remote code execution (RCE) on the n8n host. The vulnerability impacts versions of n8n prior to 1.123.22 and requires a specific workflow configuration to be exploited. A fix is available in version 1.123.22.
The impact of CVE-2026-27493 is severe due to its potential for remote code execution. An attacker can exploit this vulnerability by crafting malicious form data that includes an expression starting with an equals sign (=). This injected expression is then evaluated by n8n, allowing the attacker to execute arbitrary code on the server hosting the n8n instance. Successful exploitation could lead to complete system compromise, including data theft, modification, or destruction. The vulnerability's reliance on a specific workflow configuration (form node with user-provided input and interpolation) narrows the attack surface somewhat, but the potential for RCE remains a significant threat. The ability to chain this with an expression sandbox escape further amplifies the risk, enabling more direct code execution.
CVE-2026-27493 was publicly disclosed on 2026-02-25. As of this writing, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not currently listed on CISA KEV. The CVSS score of 9 (CRITICAL) indicates a high probability of exploitation if the vulnerability is exposed and exploitable workflows exist. The requirement for a specific workflow configuration may limit the immediate exploitability, but the potential for RCE warrants immediate attention.
Organizations heavily reliant on n8n for workflow automation, particularly those with publicly accessible forms or integrations that accept user-provided input, are at significant risk. Environments with legacy n8n configurations or those lacking robust input validation practices are especially vulnerable. Shared hosting environments where multiple users share the same n8n instance also face increased risk due to the potential for cross-tenant exploitation.
• nodejs / server: Monitor n8n logs for unusual expression execution patterns or errors related to expression parsing. Use journalctl -u n8n to filter for relevant log entries.
• nodejs / server: Check for unexpected processes running under the n8n user account using ps aux | grep n8n.
• generic web: Inspect n8n access logs for suspicious requests containing = characters in form parameters, particularly those targeting form submission endpoints. Use curl -v <n8nformendpoint> to test for injection.
• generic web: Review n8n configuration files for any insecure expression handling practices.
disclosure
Exploit-Status
EPSS
0.23% (46% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27493 is to upgrade to n8n version 1.123.22 or later. This version includes a fix that prevents the expression injection vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. Carefully review all workflow configurations, particularly those involving form nodes and user-provided input. Disable or modify workflows that utilize interpolation of user-supplied data, especially if the input is not properly validated. While a direct WAF rule is difficult to implement without deep inspection of n8n’s internal expression parsing, monitoring for unusual expression execution patterns in n8n logs can provide early warning signs of potential exploitation. There are no specific Sigma or YARA rules available at this time, but monitoring for unexpected process execution originating from the n8n process is recommended.
Actualice n8n a la versión 2.10.1, 2.9.3, 1.123.22 o superior. Si la actualización no es posible de inmediato, revise manualmente el uso de nodos de formulario para las condiciones previas mencionadas, deshabilite el nodo de formulario agregando `n8n-nodes-base.form` a la variable de entorno `NODES_EXCLUDE` y/o deshabilite el nodo Form Trigger agregando `n8n-nodes-base.formTrigger` a la variable de entorno `NODES_EXCLUDE`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27493 is a critical remote code execution vulnerability in n8n, allowing attackers to inject and execute arbitrary expressions through crafted form submissions.
You are affected if you are running n8n versions prior to 1.123.22 and have workflows configured with form nodes that interpolate user-provided input.
Upgrade to n8n version 1.123.22 or later. Review and secure workflows using user-provided input as a temporary workaround.
As of now, there are no confirmed reports of active exploitation, but the high CVSS score indicates a potential risk.
Refer to the official n8n security advisory on their website or GitHub repository for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.