Platform
nodejs
Component
n8n
Fixed in
1.123.23
2.0.1
2.10.1
1.123.22
CVE-2026-27577 describes a Remote Code Execution (RCE) vulnerability discovered in n8n, a workflow automation platform. This vulnerability allows an authenticated user with permission to create or modify workflows to execute arbitrary system commands on the host running n8n. The vulnerability impacts versions prior to 2.10.1, 2.9.3, and 1.123.22, and a patch is available.
An attacker exploiting this vulnerability could gain complete control over the n8n server. This includes the ability to install malware, steal sensitive data, and potentially pivot to other systems on the network. The attack vector involves crafting malicious expressions within workflow parameters, which, when evaluated by n8n, trigger the execution of arbitrary system commands. This is similar in concept to previous expression evaluation vulnerabilities in n8n (CVE-2025-68613), highlighting a recurring risk in this area of the application. The blast radius extends to any data processed by the affected n8n instance, as well as any systems accessible from the compromised server.
This vulnerability was publicly disclosed on 2026-02-25. The severity is CRITICAL (CVSS 9.9). There is no indication of this being added to the CISA KEV catalog at this time. Public proof-of-concept exploits are not yet widely available, but the nature of the vulnerability suggests that they are likely to emerge. Given the ease of exploitation once a PoC is available, organizations should prioritize patching.
Exploit Status
EPSS
0.13% (33% percentile)
CISA SSVC
The primary mitigation for CVE-2026-27577 is to upgrade n8n to version 2.10.1, 2.9.3, or 1.123.22 or later. If immediate upgrading is not possible, consider restricting user permissions to prevent users from creating or modifying workflows. This limits the attack surface. Additionally, carefully review existing workflows for any suspicious expressions. While a WAF or proxy cannot directly prevent this vulnerability, it can help detect and block malicious requests. After upgrading, confirm the fix by attempting to create a workflow with a deliberately malicious expression (e.g., a command to list files) and verifying that it is rejected.
Actualice n8n a la versión 2.10.1, 2.9.3 o 1.123.22, o posterior. Si la actualización no es posible de inmediato, limite los permisos de creación y edición de flujos de trabajo a usuarios de confianza y/o implemente n8n en un entorno reforzado con privilegios restringidos del sistema operativo y acceso a la red.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27577 is a critical Remote Code Execution vulnerability in n8n, allowing authenticated users to execute system commands through crafted workflow expressions.
You are affected if you are running n8n versions prior to 2.10.1, 2.9.3, or 1.123.22. Assess your n8n deployment immediately.
Upgrade n8n to version 2.10.1, 2.9.3, or 1.123.22 or later. As a temporary workaround, restrict user permissions to prevent workflow modification.
While no active exploitation has been publicly confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted.
Refer to the n8n security advisories on their GitHub repository: https://github.com/n8n-io/n8n/security/advisories
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.