Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials
Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials
https://thehackernews.com/2026/03/critical-n8n-flaws-allow-remote-code.html
Publish Date: 2026-03-11 10:51:00
Source Domain: thehackernews.com
Cybersecurity researchers have disclosed details of two now-patched security flaws in the n8n workflow automation platform, including two critical bugs that could result in arbitrary command execution.
The vulnerabilities are listed below –
- CVE-2026-27577 (CVSS score: 9.4) – Expression sandbox escape leading to remote code execution (RCE)
- CVE-2026-27493 (CVSS score: 9.5) – Unauthenticated expression evaluation via n8n’s Form nodes
“CVE-2026-27577 is a sandbox escape in the expression compiler: a missing case in the AST rewriter lets process slip through untransformed, giving any authenticated expression full RCE,” Pillar Security researcher Eilon Cohen, who discovered and reported the issues, said in a report shared with The Hacker News.
The cybersecurity company described CVE-2026-27493 as a “double-evaluation bug” in n8n’s Form nodes that could be abused for expression injection by taking advantage of the fact that the form endpoints are public by design and require neither authentication nor an n8n account.
All it takes for successful exploitation is to leverage a public “Contact Us” form to execute arbitrary shell commands by simply providing a payload as input into the Name field.
In an advisory released late last month, n8n said CVE-2026-27577 could be weaponized by an authenticated user with permission to create or modify workflows to trigger unintended system command execution on the host running n8n via crafted expressions in workflow parameters.
N8n also noted that CVE-2026-27493, when chained with an expression sandbox escape like CVE-2026-27577, could “escalate to remote code execution on the n8n host.” Both vulnerabilities affect the self-hosted and cloud deployments of n8n –
If immediate patching of CVE-2026-27577 is not an option, users are advised to limit workflow creation and editing permissions to fully trusted users and deploy n8n in a hardened environment with…
