AST Security Validator Bypass in n8n by n8n-io
CVE-2026-56777

5.3MEDIUM

Key Information:

Vendor

N8n

Status
Vendor
CVE Published:
30 June 2026

What is CVE-2026-56777?

The recent vulnerability in n8n prior to version 2.25.7 and in the 2.26.x line before version 2.26.2 allows authenticated users with workflow modification rights to bypass the abstract syntax tree (AST) security validation in the Python Code node. This flaw is particularly concerning for self-hosted instances where the Python Task Runner feature is activated. If the environment variable N8N_BLOCK_RUNNER_ENV_ACCESS is set to allow such access, it could potentially expose sensitive environment variables within the task runner process.

Affected Version(s)

n8n 0 < 2.26.2

n8n 0 < 2.25.7

n8n 2.26.2

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mistz1
.