Arbitrary Code Execution Vulnerability in n8n Workflow Automation Platform
CVE-2026-27495

9.4CRITICAL

Key Information:

Vendor

N8n-io

Status
N8n
Vendor
CVE Published:
25 February 2026

What is CVE-2026-27495?

The n8n workflow automation platform is susceptible to a vulnerability that permits an authenticated user with workflow creation or modification permissions to execute arbitrary code outside of the JavaScript Task Runner sandbox. This security flaw can potentially lead to a full compromise of the n8n host when using internal Task Runners. For setups that employ external Task Runners, the attacker could disrupt or access other tasks being executed. n8n has addressed this vulnerability in versions 2.10.1, 2.9.3, and 1.123.22. It is recommended that users upgrade to these versions or later to mitigate the risk. As a temporary measure, administrators should restrict workflow permissions to trusted users and consider utilizing external runner mode to reduce exposure.

Affected Version(s)

n8n < 1.123.22 < 1.123.22

n8n >= 2.0.0, < 2.9.3 < 2.0.0, 2.9.3

n8n >= 2.10.0, < 2.10.1 < 2.10.0, 2.10.1

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-jj...
x_refsource_CONFIRM
https://docs.n8n.io/hosting/configuration/task-runners
x_refsource_MISC
https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22
x_refsource_MISC

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.