Cybersecurity researchers have uncovered two new security flaws in the n8n workflow automation platform, including a critical vulnerability that could allow remote code execution.
The vulnerabilities discovered by the JFrog Security Research team are as follows:
- CVE-2026-1470 (CVSS Score: 9.9) – An eval injection vulnerability could allow an authenticated user to bypass the Expression sandbox mechanism and achieve full remote code execution on the n8n main node by passing specially crafted JavaScript code.
- CVE-2026-0863 (CVSS Score: 8.5) – An eval injection vulnerability could allow an authenticated user to bypass n8n’s python-task-executor sandbox restrictions and execute arbitrary Python code on the underlying operating system.
Shachar Menashe, vice president of security research at JFrog, told The Hacker news that one of the reasons CVE-2026-1470 has a high CVSS score despite the authentication requirement is that “any user of n8n could exploit this issue and completely take over an entire n8n instance, making it a little more dangerous.”
Successful exploitation of this flaw could allow an attacker to hijack an entire n8n instance, including scenarios running in “internal” execution mode. n8n states in its documentation that using internal mode in production environments can pose a security risk, and urges users to switch to external mode to ensure proper isolation between n8n and the task runner process.
“n8n unlocks core tools, capabilities, and data from infrastructure including LLM APIs, sales data, internal IAM systems, and more to automate AI workflows across the organization,” JFrog said in a statement shared with The Hacker News. “As a result, you are evading giving hackers a valid ‘skeleton key’ to your entire company. ”
To address this flaw, users are advised to update to the following versions:
- CVE-2026-1470 – 1.123.17, 2.4.5, or 2.5.1
- CVE-2026-0863 – 1.123.14, 2.3.5, or 2.4.2
This development comes just weeks after Cyera Research Labs detailed a maximum severity security flaw in n8n (CVE-2026-21858 aka Ni8mare) that allows an unauthenticated, remote attacker to gain complete control of a vulnerable instance. According to data from the Shadowserver Foundation, as of January 27, 2026, over 39,000 n8n instances remain affected by this flaw.
“These vulnerabilities highlight how difficult it is to securely sandbox dynamic high-level languages such as JavaScript and Python,” said researcher Nathan Nehorai. “Even when multiple validation layers, deny lists, and AST-based controls are in place, subtle language features and runtime behaviors can be leveraged to circumvent security assumptions.”
“In this case, deprecated or rarely used constructs, combined with changes to the interpreter and exception handling behavior, were sufficient to break through the restrictive sandbox and execute code remotely.”
