CVE-2026-27495 — CRITICAL (CVSS 9.9) AI Security Vulnerability

CISO Take

If your organization runs n8n for AI automation or agent workflows, patch immediately to versions 2.10.1, 2.9.3, or 1.123.22. Any authenticated user with workflow edit permissions can escape the JavaScript Task Runner sandbox and achieve full RCE on the n8n host in default internal runner mode. Given that n8n deployments typically hold API keys for AI services, database credentials, and internal system access, the blast radius extends well beyond the n8n process itself.

Risk Assessment

Critical. CVSS 9.9 with network-accessible, low-complexity exploitation requiring only low-privileged authentication — no user interaction needed. The default configuration (internal Task Runner) yields full host compromise. n8n is widely deployed as the orchestration layer for AI agent pipelines, meaning a compromised n8n instance typically exposes the entire AI stack: LLM API keys (OpenAI, Anthropic), vector DB credentials, internal APIs, and downstream automation targets. Exposure is high across organizations using n8n for AI workflows, which is a significant and growing population.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Severity & Risk

CVSS 3.1

9.9 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 28% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I High

A High

Recommended Action

7 steps

PATCH NOW

Upgrade to n8n 2.10.1, 2.9.3, or 1.123.22 immediately. No other fix fully remediates the risk.
Short-term if patching is blocked: restrict workflow creation/editing permissions to fully trusted users only via n8n's RBAC — remove this capability from service accounts and non-admin users.
Switch to external runner mode (N8N_RUNNERS_MODE=external) to contain blast radius to the runner process rather than the full host.
Audit n8n workflow change logs for suspicious JavaScript Code node modifications, especially those created by non-admin accounts.
Rotate all credentials stored in n8n (AI API keys, DB passwords, webhook secrets, OAuth tokens) if you suspect any window of exploitation — treat stored credentials as compromised until confirmed otherwise.
Network-segment n8n hosts: they should not have unrestricted outbound internet access or flat internal network access.
Detection: monitor for unexpected outbound connections or process spawning from the n8n host process.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Social Engineering Agent RAG API AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.4 - AI system risk assessment A.6.2.6 - AI system security A.9.3 - AI system access control

NIST AI RMF

GOVERN 1.2 - Policies, processes, procedures, and practices across the organization GOVERN 6.2 - Contingency processes are in place MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MANAGE 2.4 - Mechanisms to sustain effectiveness of risk controls

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency LLM08:2025 - Excessive Agency LLM09:2025 - Misinformation

Frequently Asked Questions

What is CVE-2026-27495?

If your organization runs n8n for AI automation or agent workflows, patch immediately to versions 2.10.1, 2.9.3, or 1.123.22. Any authenticated user with workflow edit permissions can escape the JavaScript Task Runner sandbox and achieve full RCE on the n8n host in default internal runner mode. Given that n8n deployments typically hold API keys for AI services, database credentials, and internal system access, the blast radius extends well beyond the n8n process itself.

Is CVE-2026-27495 actively exploited?

No confirmed active exploitation of CVE-2026-27495 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-27495?

1. PATCH NOW: Upgrade to n8n 2.10.1, 2.9.3, or 1.123.22 immediately. No other fix fully remediates the risk. 2. Short-term if patching is blocked: restrict workflow creation/editing permissions to fully trusted users only via n8n's RBAC — remove this capability from service accounts and non-admin users. 3. Switch to external runner mode (N8N_RUNNERS_MODE=external) to contain blast radius to the runner process rather than the full host. 4. Audit n8n workflow change logs for suspicious JavaScript Code node modifications, especially those created by non-admin accounts. 5. Rotate all credentials stored in n8n (AI API keys, DB passwords, webhook secrets, OAuth tokens) if you suspect any window of exploitation — treat stored credentials as compromised until confirmed otherwise. 6. Network-segment n8n hosts: they should not have unrestricted outbound internet access or flat internal network access. 7. Detection: monitor for unexpected outbound connections or process spawning from the n8n host process.

What systems are affected by CVE-2026-27495?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation platforms, AI orchestration layers, multi-agent systems, LLM integration pipelines, RAG pipelines.

What is the CVSS score for CVE-2026-27495?

CVE-2026-27495 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.10%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could exploit a vulnerability in the JavaScript Task Runner sandbox to execute arbitrary code outside the sandbox boundary. On instances using internal Task Runners (default runner mode), this could result in full compromise of the n8n host. On instances using external Task Runners, the attacker might gain access to or impact other task executed on the Task Runner. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or use external runner mode (`N8N_RUNNERS_MODE=external`) to limit the blast radius. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a low-privileged n8n account — obtained via credential stuffing, phishing a developer, or compromising a service account used by CI/CD — navigates to the workflow editor. They create or modify a workflow containing a JavaScript Code node and craft a payload exploiting CWE-94 in the Task Runner sandbox to execute arbitrary OS commands. With internal runner mode (default), this immediately yields RCE on the n8n host. The attacker then dumps the n8n environment variables and database, extracting API keys for OpenAI/Anthropic, database connection strings, OAuth tokens, and webhook secrets stored as workflow credentials. They establish persistence via a reverse shell, then pivot laterally through the internal network using n8n's pre-authorized connections to internal APIs, cloud storage, and databases — effectively inheriting all trust relationships the automation platform held. The attack is particularly dangerous in AI-heavy environments where n8n orchestrates LLM calls, RAG pipelines, and multi-agent workflows, as full compromise of the orchestration layer means full visibility and control over the entire AI automation stack.