Security researchers recently uncovered two critical vulnerabilities in the n8n automation platform that could allow authenticated users to execute malicious code remotely. By bypassing existing sandbox protections, these flaws give attackers the ability to seize control of an entire organization's workflow infrastructure and sensitive data.

The JFrog Security Research team identified these vulnerabilities as CVE-2026-1470 and CVE-2026-0863, which carry severity scores of 9.9 and 8.5 respectively. Both issues involve eval injection, a type of flaw where a system improperly handles code inputs. In the case of the more severe vulnerability, an attacker can use specifically designed JavaScript to break out of the expression sandbox and gain full control over the main n8n node. The second flaw allows for a similar escape within the Python task executor, enabling the running of unauthorized code on the host operating system.

Experts noted that these vulnerabilities are particularly dangerous because any user with platform access can exploit them to take over the entire instance. This poses a massive risk for companies using n8n to manage internal identity systems, sales information, and AI infrastructure. If an attacker successfully escapes the sandbox, they essentially gain a master key to the core tools and data the platform is designed to automate across the company.

The risk is even higher for organizations running n8n in internal execution mode, which lacks the necessary isolation between the platform and its task processes. While the software documentation suggests using external mode for production environments to mitigate such risks, many instances remain vulnerable. This discovery follows closely behind another maximum severity flaw reported earlier this month, suggesting a recurring challenge in securing automation platforms that handle dynamic languages.

Researchers highlighted that these flaws demonstrate the extreme difficulty of creating perfect sandboxes for languages like Python and JavaScript. Even when developers implement multiple layers of validation and restricted lists, obscure language features or changes in how a language interpreter behaves can be leveraged to break security barriers. In these specific cases, rarely used coding constructs and unique ways the system handles errors were enough to bypass the intended restrictions.

To protect their systems, users must immediately update their n8n installations to the latest patched versions. Specifically, CVE-2026-1470 is addressed in versions 1.123.17, 2.4.5, and 2.5.1, while CVE-2026-0863 is resolved in versions 1.123.14, 2.3.5, and 2.4.2. With tens of thousands of instances still exposed to previously disclosed flaws, timely patching is the only effective way to prevent a total compromise of corporate automation workflows.

Source: Two High Severity n8n Vulnerabilities Allow Authenticated Remote Code Execution