Critical N8n Vulnerabilities Allowed Server Takeover
securityweek
Two critical-severity vulnerabilities in n8n could have been exploited for unauthenticated remote code execution (RCE) and sandbox escape, exposing all credentials stored in the n8n database, Pillar Security reports.
Tracked as CVE-2026-27493 (CVSS score of 9.5), the first bug is described as a second-order expression injection issue impacting the open source workflow automation platform’s Form nodes.
Successful exploitation could have allowed an unauthenticated attacker to inject arbitrary commands into a Name field and receive the output of the executed command.
The security defect existed because n8n relied on two expression evaluation passes to evaluate the user’s submission, with the attacker’s payload evaluated as a new expression during the second pass.
The vulnerability, Pillar explains, could be chained with the second critical flaw, tracked as CVE-2026-27577 (CVSS score of 9.4), to escape the n8n sandbox and execute commands on the host.
According to the security team ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE