Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials

Cybersecurity researchers have made public information about two security holes in the n8n workflow automation platform that have since been fixed This article explores n8n secure environment. . One of these holes could have allowed anyone to run any command.

The following vulnerabilities are present: CVE-2026-27577 (CVSS score: 9.4) - Expression sandbox escape that lets remote code execution (RCE) happen (CVE-2026-27493, CVSS score: 9.5) - n8n's Form nodes let you evaluate expressions without logging in. The cybersecurity company called CVE-2026-27493 a "double-evaluation bug" in n8n's Form nodes that could be used to inject code into forms because the form endpoints are public by design and don't need a n8n account or authentication.

All you need to do to successfully exploit this is use a public "Contact Us" form to run any shell command by putting a payload in the Name field. Last month, n8n released an advisory saying that CVE-2026-27577 could be used as a weapon by an authenticated user with permission to create or change workflows. This could cause unintended system commands to run on the host running n8n through specially crafted expressions in workflow parameters.

N8n also said that CVE-2026-27493, when combined with an expression sandbox escape like CVE-2026-27577, could "escalate to remote code execution on the n8n host." Both problems affect n8n installations that are hosted on their own servers and in the cloud. Versions 2.10.1, 2.9.3, and 1.123.22 fixed the problems.

If you can't patch CVE-2026-27577 right away, you should only give trusted users the ability to create and edit workflows. You should also deploy n8n in a secure environment with limited operating system privileges and network access. For CVE-2026-27493, n8n suggests the following steps to lessen the risk: Check the use of form nodes manually for the conditions listed above. To turn off the Form node, add n8n-nodes-base.set the NODES_EXCLUDE environment variable to this.

To turn off the Form Trigger node, add n8n-nodes-base.formTrigger to the NODES_EXCLUDE variable in the environment. "The maintainers warned that these workarounds do not fully fix the risk and should only be used as temporary fixes." Pillar Security said that an attacker could use these weaknesses to read the N8N_ENCRYPTION_KEY environment variable and use it to decrypt all of the credentials stored in n8n's database.

This includes AWS keys, database passwords, OAuth tokens, and API keys.

N8n versions 2.10.1, 2.9.3, and 1.123.22 also fix two more serious security holes that could be used to run any code. CVE-2026-27495 (CVSS score: 9.4) - An authenticated user with permission to create or change workflows could use a code injection flaw in the JavaScript Task Runner sandbox to run any code outside of the sandbox. CVE-2026-27497 (CVSS score: 9.4) says that an authenticated user who has permission to create or change workflows could use the Merge node's SQL query mode to run any code and write any files on the n8n server.

n8n has listed the following workarounds for each flaw, in addition to only allowing trusted users to create and edit workflows: CVE-2026-27495 - Use external runner mode (N8N_RUNNERS_MODE=external) to limit the blast radius.

To turn off the Merge node, add n8n-nodes-base.merge to the NODES_EXCLUDE environment variable. n8n doesn't say that any of these vulnerabilities have been used in the wild, but users should keep their installations up to date to stay as safe as possible.