Platform
nodejs
Component
n8n
Fixed in
1.123.23
2.0.1
2.10.1
1.123.22
CVE-2026-27495 is a Remote Code Execution (RCE) vulnerability affecting n8n, a workflow automation platform. An authenticated user with workflow creation/modification privileges can exploit a flaw in the JavaScript Task Runner sandbox to execute arbitrary code. This vulnerability poses a significant threat, potentially leading to full compromise of the n8n host, particularly when using the default internal Task Runner mode. Affected versions include those prior to 1.123.22; upgrade to a patched version to resolve the issue.
The impact of CVE-2026-27495 is severe. An attacker who can create or modify workflows within an n8n instance can leverage this vulnerability to execute arbitrary code outside the intended sandbox boundary. In instances utilizing the default internal Task Runner mode, this could result in complete compromise of the n8n server, granting the attacker full control over the system. Even with external Task Runners, the attacker could potentially gain access to or impact other tasks executed on the Task Runner. The vulnerability requires the Task Runners to be enabled using the environment variable N8NRUNNERSENABLED=true, which is the default configuration.
CVE-2026-27495 was publicly disclosed on 2026-02-25. The vulnerability's severity is rated as CRITICAL (CVSS 9.5). Currently, there are no publicly available exploits, but the ease of exploitation given authenticated access makes it a high-priority concern. It is not listed on the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
The primary mitigation for CVE-2026-27495 is to upgrade n8n to version 1.123.22 or later. If an immediate upgrade is not feasible, consider temporarily disabling Task Runners by setting the environment variable N8NRUNNERSENABLED=false. This will prevent new workflow creation and modification, limiting the attack surface. Review existing workflows for suspicious code. Monitor n8n logs for unusual activity related to task execution. After upgrading, confirm the fix by attempting to create a workflow with a JavaScript Task Runner and verifying that the code executes within the intended sandbox.
Upgrade n8n to version 2.10.1, 2.9.3, or 1.123.22, or later. If upgrading is not immediately possible, limit workflow creation and editing permissions to trusted users, and/or use external runner mode (`N8N_RUNNERS_MODE=external`) to limit the blast radius. Note that these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27495 is a critical Remote Code Execution vulnerability in n8n, allowing authenticated users to execute arbitrary code through the JavaScript Task Runner sandbox.
You are affected if you are running n8n versions prior to 1.123.22 and have Task Runners enabled (default).
Upgrade n8n to version 1.123.22 or later. As a temporary workaround, disable Task Runners by setting N8NRUNNERSENABLED=false.
While no public exploits are currently known, the vulnerability's ease of exploitation makes it a high-priority concern.
Refer to the official n8n security advisory on their website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.