AST Security Validator Bypass in n8n by n8n-io
CVE-2026-56777
5.3MEDIUM
What is CVE-2026-56777?
The recent vulnerability in n8n prior to version 2.25.7 and in the 2.26.x line before version 2.26.2 allows authenticated users with workflow modification rights to bypass the abstract syntax tree (AST) security validation in the Python Code node. This flaw is particularly concerning for self-hosted instances where the Python Task Runner feature is activated. If the environment variable N8N_BLOCK_RUNNER_ENV_ACCESS is set to allow such access, it could potentially expose sensitive environment variables within the task runner process.
Affected Version(s)
n8n 0 < 2.26.2
n8n 0 < 2.25.7
n8n 2.26.2
