Two vulnerabilities in the n8n workflow automation platform could allow attackers to fully compromise affected instances, access sensitive data, and execute arbitrary code on the underlying host.
Identified as CVE-2026-1470 and CVE-2026-0863, the vulnerabilities were discovered and reported by researchers at DevSecOps company JFrog.
Despite requiring authentication, CVE-2026-1470 received a critical severity score of 9.9 out of 10. JFrog explained that the critical rating was due to arbitrary code execution occurring in n8n’s main node, which allows complete control over the n8n instance.
n8n is an open-source workflow automation platform that lets users link applications, APIs, and services into complex processes using a visual editor.
With more than 200,000 weekly downloads on npm, the library is used for task automation and supports integrations with AI and large language model (LLM) services.
The two vulnerabilities discovered by JFrog can be summarized as follows:
- CVE-2026-1470 – An AST sandbox escape caused by improper handling of the JavaScript with statement allows a standalone constructor identifier to bypass sanitization and resolve to Function, enabling arbitrary JavaScript execution and resulting in full RCE on the main n8n node.
- CVE-2026-0863 – A Python AST sandbox escape that combines format-string–based object introspection with Python 3.10+ AttributeError.obj behavior to regain access to restricted builtins and imports, allowing execution of OS commands and full RCE when Python runs as a subprocess on the main n8n node.
“These vulnerabilities highlight how difficult it is to safely sandbox dynamic, high‑level languages such as JavaScript and Python,” JFrog explains.
“Even with multiple validation layers, deny lists, and AST‑based controls in place, subtle language features and runtime behaviors can be leveraged to bypass security assumptions,” the researchers say.
Exploiting CVE-2026-1470 requires authentication because permissions to create or modify a workflow are necessary to escape the sandbox and execute commands on the host.
The flaw is still rated critical since non-admin users, assumed to be safely contained in most deployments, can exploit it to pivot to infrastructure-level control.
CVE-2026-1470 was fixed in versions 1.123.17, 2.4.5, and 2.5.1, while CVE-2026-0863 was addressed in n8n versions 1.123.14, 2.3.5, 2.4.2. Users are recommended to upgrade to the latest versions as soon as possible.
It should be noted that the n8n cloud platform has addressed the issues, and only self-hosted versions running a vulnerable release are affected.
Researcher Rhoda Smart, who explained CVE-2026-0863 in a technical blog post, promised to add a proof-of-concept exploit in the write-up, which could prompt attackers to hunt for and target self-hosted n8n deployments.
The n8n platform gained more attention recently, as security researchers reported critical flaws. Earlier this month, the max-severity flaw “Ni8mare” was disclosed, which allows remote, unauthenticated attackers to take control of local n8n instances.
A week later, scans showed that 60,000 instances remained at risk. As of January 27, this number has fallen to 39,900 exposed instances, indicating a very slow patching rate among the platform’s users.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.