CRITICALCVE-2026-27495CVSS 9.5

n8n hat einen Sandbox Escape in seinem JavaScript Task Runner

Q: What is CVE-2026-27495 — RCE in n8n?

CVE-2026-27495 is a critical Remote Code Execution vulnerability in n8n, allowing authenticated users to execute arbitrary code through the JavaScript Task Runner sandbox.

Q: Am I affected by CVE-2026-27495 in n8n?

You are affected if you are running n8n versions prior to 1.123.22 and have Task Runners enabled (default).

Q: How do I fix CVE-2026-27495 in n8n?

Upgrade n8n to version 1.123.22 or later. As a temporary workaround, disable Task Runners by setting `N8N_RUNNERS_ENABLED=false`.

Q: Is CVE-2026-27495 being actively exploited?

While no public exploits are currently known, the vulnerability's ease of exploitation makes it a high-priority concern.

Q: Where can I find the official n8n advisory for CVE-2026-27495?

Refer to the official n8n security advisory on their website or GitHub repository for the latest information.

Plattform

nodejs

Komponente

n8n

Behoben in

1.123.23

2.0.1

2.10.1

1.123.22

AI Confidence: highNVDEPSS 0.1%Geprüft: Mai 2026

Auf NVD ansehen

Speichern

Wird in Ihre Sprache übersetzt…

CVE-2026-27495 is a Remote Code Execution (RCE) vulnerability affecting n8n, a workflow automation platform. An authenticated user with workflow creation/modification privileges can exploit a flaw in the JavaScript Task Runner sandbox to execute arbitrary code. This vulnerability poses a significant threat, potentially leading to full compromise of the n8n host, particularly when using the default internal Task Runner mode. Affected versions include those prior to 1.123.22; upgrade to a patched version to resolve the issue.

Auswirkungen und Angriffsszenarien

The core of the vulnerability lies within the JavaScript Task Runner sandbox. An attacker, already authenticated and possessing the ability to create or modify workflows, can craft malicious workflows that bypass the intended sandbox restrictions. This allows them to execute arbitrary code outside of the sandbox’s boundaries. The severity of the impact is directly tied to the Task Runner mode. When using the default internal Task Runner mode, the attacker gains complete control over the n8n host, enabling them to execute commands, access sensitive data, and potentially pivot to other systems on the network. Even with external Task Runners, the attacker can impact or gain access to other tasks executed on the Task Runner, representing a significant security risk. This vulnerability is particularly concerning given n8n's use in automating sensitive business processes.

Ausnutzungskontext

CVE-2026-27495 was publicly disclosed on February 25, 2026. There is currently no indication of active exploitation in the wild, but the CRITICAL severity and ease of exploitation (requiring only authenticated access) warrant immediate attention. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the vulnerability's nature suggests that they are likely to emerge. Organizations should prioritize patching to prevent potential exploitation.

Wer Ist Gefährdetwird übersetzt…

Organizations heavily reliant on n8n for workflow automation, particularly those using the default internal Task Runner configuration, are at significant risk. Environments where user access controls are not strictly enforced, allowing unauthorized users to create or modify workflows, are especially vulnerable.

Erkennungsschrittewird übersetzt…

• nodejs / server:

ps aux | grep n8n

Check for unusual processes running within the n8n environment. • nodejs / server:

journalctl -u n8n -f | grep -i error

Monitor n8n logs for error messages or suspicious activity related to task execution. • generic web:

curl -I http://<n8n_host>/ | grep -i 'n8n/1.123.22'

Verify the n8n version is patched (1.123.22 or later).

Angriffszeitlinie

2026-02-25Disclosure
disclosure

Bedrohungsanalyse

Exploit-Status

Proof of ConceptUnbekannt

CISA KEVNO

Berichte7 Bedrohungsberichte

EPSS

0.08% (23% Perzentil)

CISA SSVC

Ausnutzungnone

Automatisierbarno

Technische Auswirkungtotal

Betroffene Software

Komponenten8n

Herstellerosv

Betroffener BereichBehoben in

< 1.123.22 – < 1.123.221.123.23

>= 2.0.0, < 2.9.3 – >= 2.0.0, < 2.9.32.0.1

>= 2.10.0, < 2.10.1 – >= 2.10.0, < 2.10.12.10.1

—1.123.22

Schwachstellen-Klassifikation (CWE)

CWE-94

Zeitleiste

Reserviert2026-02-19
Veröffentlicht2026-02-25
Geändert2026-02-28
EPSS aktualisiert2026-03-23

Mitigation und Workarounds

The primary mitigation for CVE-2026-27495 is to upgrade to a patched version of n8n. Versions 1.123.22, 2.9.3, and 2.10.1 contain the necessary fixes. If immediate upgrading is not feasible, consider disabling Task Runners entirely by setting N8NRUNNERSENABLED=false. This will prevent the execution of JavaScript tasks but will also impact functionality that relies on them. As a temporary workaround, restrict user permissions to prevent users from creating or modifying workflows, limiting the attack surface. Monitor n8n logs for suspicious activity related to workflow execution and Task Runner processes. Implement a Web Application Firewall (WAF) with rules to detect and block malicious workflow payloads.

So beheben

Aktualisieren Sie n8n auf Version 2.10.1, 2.9.3 oder 1.123.22 oder später. Wenn ein Update nicht sofort möglich ist, beschränken Sie die Berechtigungen zum Erstellen und Bearbeiten von Workflows auf vertrauenswürdige Benutzer und/oder verwenden Sie den externen Runner-Modus (`N8N_RUNNERS_MODE=external`), um die Schadensfläche zu begrenzen. Beachten Sie, dass diese Workarounds das Risiko nicht vollständig mindern und nur als kurzfristige Maßnahmen zur Schadensbegrenzung verwendet werden sollten.

CVE-Sicherheitsnewsletter

Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.

Häufig gestellte Fragenwird übersetzt…

What is CVE-2026-27495 — RCE in n8n?