Platform
nodejs
Component
n8n
Fixed in
1.123.9
2.0.1
1.123.8
CVE-2026-27498 is a remote code execution (RCE) vulnerability affecting n8n, a workflow automation platform. An authenticated user with sufficient permissions can chain the Read/Write Files from Disk node with git operations to execute arbitrary shell commands on the n8n host. This vulnerability impacts versions prior to 1.123.8 and 2.2.0, and a patch is available.
This vulnerability allows an authenticated attacker to gain complete control over the n8n server. By crafting malicious workflows that leverage the Read/Write Files from Disk node and subsequent git operations, an attacker can inject and execute arbitrary shell commands. The impact is significant, potentially leading to data breaches, system compromise, and complete takeover of the affected n8n instance. The ability to execute commands directly on the server bypasses typical security controls and represents a severe risk, especially in environments where n8n handles sensitive data or integrates with critical systems. Successful exploitation could allow an attacker to steal credentials, modify workflows, or even pivot to other systems on the network.
CVE-2026-27498 was publicly disclosed on 2026-02-25. There is no indication of active exploitation at this time, but the vulnerability's ease of exploitation and the potential impact warrant immediate attention. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability description suggests a relatively straightforward exploitation path.
Exploit Status
EPSS
0.44% (63% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade n8n to version 1.123.8 or 2.2.0 or later. If immediate upgrading is not feasible, administrators should restrict user permissions to minimize the potential attack surface. Specifically, limit users' ability to create or modify workflows, and carefully review existing workflows for suspicious activity. Consider implementing a Web Application Firewall (WAF) with rules to detect and block malicious workflow configurations attempting to execute shell commands. Regularly audit n8n configurations and user permissions to ensure adherence to security best practices.
Update n8n to version 2.2.0 or later, or to version 1.123.8 or later. If updating is not immediately possible, limit workflow creation and editing permissions to trusted users only, or disable the Read/Write Files from Disk node by adding `n8n-nodes-base.readWriteFile` to the `NODES_EXCLUDE` environment variable. Note that these workarounds do not fully mitigate the risk and should only be used as short-term mitigation measures.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27498 is a remote code execution vulnerability in n8n where an authenticated user can exploit file operations and git commands to execute arbitrary shell commands on the server.
You are affected if you are running n8n versions prior to 1.123.8 or 2.2.0. Verify your version and upgrade immediately if vulnerable.
Upgrade n8n to version 1.123.8 or 2.2.0 or later. As a temporary workaround, restrict user permissions to limit workflow creation and modification.
There is currently no public information indicating active exploitation, but the vulnerability's severity and potential impact warrant immediate remediation.
Refer to the official n8n security advisory for detailed information and updates: [https://n8n.io/security/advisories](https://n8n.io/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.