If you run n8n, take a minute. Researchers disclosed multiple now-patched vulnerabilities—two of them critical—that can lead to arbitrary command execution and exposure of stored credentials. Chinta korben na—patches are available; below are the facts and practical mitigations, In sha Allah.

Vulnerabilities at a glance

• CVE-2026-27577 (CVSS 9.4): Expression sandbox escape leading to remote code execution (RCE).
• CVE-2026-27493 (CVSS 9.5): Unauthenticated expression evaluation via n8n’s Form nodes.

“CVE-2026-27577 is a sandbox escape in the expression compiler: a missing case in the AST rewriter lets process slip through untransformed, giving any authenticated expression full RCE,” said Pillar Security researcher Eilon Cohen, who discovered and reported the issues (source).

CVE-2026-27493 is described as a “double‑evaluation bug” in Form nodes. Because n8n form endpoints are public by design and require no authentication or n8n account, an attacker could inject expressions—e.g., using a public “Contact Us” form—by placing a payload in a field like Name to execute arbitrary shell commands.

n8n notes that CVE-2026-27493, when chained with an expression sandbox escape like CVE-2026-27577, can escalate to RCE on the n8n host.

Affected versions and fixes

Both vulnerabilities impact self-hosted and cloud deployments:

• < 1.123.22, ≥ 2.0.0 < 2.9.3, and ≥ 2.10.0 < 2.10.1

Fixed in versions 2.10.1, 2.9.3, and 1.123.22.

Mitigations

CVE-2026-27577 (Expression sandbox escape)

• Limit workflow creation and editing permissions to fully trusted users.
• Deploy n8n in a hardened environment with restricted OS privileges and network access.

CVE-2026-27493 (Unauthenticated expression evaluation via Form nodes)

• Review usage of Form nodes for the risky preconditions described above.
• Disable the Form node by adding n8n-nodes-base.form to the NODES_EXCLUDE environment variable.
• Disable the Form Trigger node by adding n8n-nodes-base.formTrigger to the NODES_EXCLUDE environment variable.

Note: These workarounds do not fully remediate risk and should be used only as short-term measures.

Potential impact

Pillar Security warns an attacker could read the N8N_ENCRYPTION_KEY environment variable and decrypt every credential stored in n8n’s database, including AWS keys, database passwords, OAuth tokens, and API keys.

Additional critical fixes in this release train

• CVE-2026-27495 (CVSS 9.4): Code injection in the JavaScript Task Runner sandbox lets an authenticated user (with create/modify workflow permission) execute arbitrary code outside the sandbox boundary.
• CVE-2026-27497 (CVSS 9.4): Using the Merge node’s SQL query mode, an authenticated user (with create/modify workflow permission) could execute arbitrary code and write arbitrary files on the n8n server.

Workarounds for the above

• CVE-2026-27495: Use external runner mode (N8N_RUNNERS_MODE=external) to limit the blast radius.
• CVE-2026-27497: Disable the Merge node by adding n8n-nodes-base.merge to the NODES_EXCLUDE environment variable.

What to do now

• Upgrade to 2.10.1, 2.9.3, or 1.123.22 (as applicable) as soon as possible.
• Restrict workflow creation/editing to trusted users only.
• Harden your deployment with least-privilege OS permissions and tight network access.
• If you expose forms publicly, review them or temporarily disable the Form and Form Trigger nodes until fully patched.
• Consider external runner mode for JavaScript tasks and disable the Merge node if not essential.

There’s no mention of exploitation in the wild at this time. Still, staying current is your best defense. Small, steady upgrades protect your keys and your users—In sha Allah, you’ll stay a step ahead.

Reference: View article