Critical Sandbox Escape Flaws Expose n8n Workflows to Full System Compromise

Two critical vulnerabilities discovered in the popular n8n workflow automation platform could allow attackers to fully compromise affected instances, access sensitive data, and execute arbitrary code on the underlying host system.

Identified as CVE-2026-1470 and CVE-2026-0863, these flaws were discovered and reported by researchers at DevSecOps company JFrog. Despite requiring authentication, CVE-2026-1470 received a critical severity score of 9.9 out of 10, with JFrog explaining that the high rating stems from arbitrary code execution occurring in n8n's main node, which allows complete control over the n8n instance.

Understanding the Vulnerabilities

CVE-2026-1470 is an AST sandbox escape caused by improper handling of the JavaScript with statement. The vulnerability allows a standalone constructor identifier to bypass sanitization and resolve to Function, enabling arbitrary JavaScript execution and resulting in full remote code execution (RCE) on the main n8n node.

CVE-2026-0863 is a Python AST sandbox escape that combines format-string-based object introspection with Python 3.10+ AttributeError.obj behavior to regain access to restricted builtins and imports. This allows execution of OS commands and full RCE when Python runs as a subprocess on the main n8n node.

"These vulnerabilities highlight how difficult it is to safely sandbox dynamic, high-level languages such as JavaScript and Python," JFrog explains. "Even with multiple validation layers, deny lists, and AST-based controls in place, subtle language features and runtime behaviors can be leveraged to bypass security assumptions."

Impact and Exploitation Requirements

The exploitation of CVE-2026-1470 requires authentication because permissions to create or modify a workflow are necessary to escape the sandbox and execute commands on the host. However, the flaw remains rated critical since non-admin users, assumed to be safely contained in most deployments, can exploit it to pivot to infrastructure-level control.

This represents a significant security concern for organizations using n8n for workflow automation, as it demonstrates that even authenticated users with limited permissions can potentially escalate their privileges to full system control.

Affected Versions and Patches

Users are strongly recommended to upgrade to the latest versions as soon as possible:

• CVE-2026-1470 was fixed in versions 1.123.17, 2.4.5, and 2.5.1
• CVE-2026-0863 was addressed in n8n versions 1.123.14, 2.3.5, and 2.4.2

It should be noted that the n8n cloud platform has addressed these issues, and only self-hosted versions running a vulnerable release are affected. Organizations using n8n in cloud environments can breathe easier, but those running self-hosted instances need to act quickly.

Proof-of-Concept Concerns

Researcher Rhoda Smart, who explained CVE-2026-0863 in a technical blog post, promised to add a proof-of-concept exploit in the write-up. This development could prompt attackers to hunt for and target self-hosted n8n deployments, making timely patching even more critical.

Context: Recent n8n Security Issues

The n8n platform has faced increased scrutiny from security researchers recently. Earlier this month, the max-severity flaw "Ni8mare" was disclosed, which allows remote, unauthenticated attackers to take control of local n8n instances. A week after that disclosure, scans showed that 60,000 instances remained at risk.

As of January 27, this number has fallen to 39,900 exposed instances, indicating a very slow patching rate among the platform's users. This sluggish response to critical security issues is concerning, as it leaves a large attack surface exposed to potential exploitation.

Platform Popularity and Risk

With more than 200,000 weekly downloads on npm, n8n has become a widely adopted tool for task automation and supports integrations with AI and large language model (LLM) services. The platform's popularity makes these vulnerabilities particularly significant, as they affect a substantial number of organizations across various industries.

n8n is an open-source workflow automation platform that lets users link applications, APIs, and services into complex processes using a visual editor. Its flexibility and ease of use have made it a go-to solution for many organizations looking to automate their workflows and integrate various services.

Security Recommendations

Organizations using self-hosted n8n instances should:

1. Upgrade immediately to the patched versions (1.123.17, 2.4.5, or 2.5.1 for CVE-2026-1470; 1.123.14, 2.3.5, or 2.4.2 for CVE-2026-0863)
2. Monitor for suspicious activity in workflow creation and modification
3. Review access controls to ensure only necessary users have workflow modification permissions
4. Consider cloud deployment if self-hosting poses too great a security risk
5. Stay informed about emerging security research and proof-of-concept exploits

Broader Implications

These vulnerabilities underscore the ongoing challenges in sandboxing dynamic languages like JavaScript and Python. The fact that both vulnerabilities exploit subtle language features and runtime behaviors demonstrates that even sophisticated security measures can be bypassed by determined attackers.

For the broader DevOps and automation community, this serves as a reminder that workflow automation platforms, while incredibly useful, can introduce significant security risks if not properly maintained and secured. The combination of powerful automation capabilities with the need for secure execution environments creates a complex security challenge that requires constant vigilance.

The slow patching rate observed with the Ni8mare vulnerability suggests that many organizations may struggle with operationalizing security updates, particularly for critical infrastructure components. This highlights the need for better security practices and tooling around vulnerability management and patch deployment.