AI Threat Alert

CVE-2026-27495: n8n: Code Injection enables RCE

CRITICAL
Published February 25, 2026
CISO Take

If your organization runs n8n for AI automation or agent workflows, patch immediately to versions 2.10.1, 2.9.3, or 1.123.22. Any authenticated user with workflow edit permissions can escape the JavaScript Task Runner sandbox and achieve full RCE on the n8n host in default internal runner mode. Given that n8n deployments typically hold API keys for AI services, database credentials, and internal system access, the blast radius extends well beyond the n8n process itself.

What is the risk?

Critical. CVSS 9.9 with network-accessible, low-complexity exploitation requiring only low-privileged authentication — no user interaction needed. The default configuration (internal Task Runner) yields full host compromise. n8n is widely deployed as the orchestration layer for AI agent pipelines, meaning a compromised n8n instance typically exposes the entire AI stack: LLM API keys (OpenAI, Anthropic), vector DB credentials, internal APIs, and downstream automation targets. Exposure is high across organizations using n8n for AI workflows, which is a significant and growing population.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 2d ago 55% patched ~7d to patch Full package profile →
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 2d ago 55% patched ~7d to patch Full package profile →

How severe is it?

CVSS 3.1
9.9 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 44% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I High
A High

What should I do?

7 steps

  1. PATCH NOW

    Upgrade to n8n 2.10.1, 2.9.3, or 1.123.22 immediately. No other fix fully remediates the risk.

  2. Short-term if patching is blocked: restrict workflow creation/editing permissions to fully trusted users only via n8n's RBAC — remove this capability from service accounts and non-admin users.

  3. Switch to external runner mode (N8N_RUNNERS_MODE=external) to contain blast radius to the runner process rather than the full host.

  4. Audit n8n workflow change logs for suspicious JavaScript Code node modifications, especially those created by non-admin accounts.

  5. Rotate all credentials stored in n8n (AI API keys, DB passwords, webhook secrets, OAuth tokens) if you suspect any window of exploitation — treat stored credentials as compromised until confirmed otherwise.

  6. Network-segment n8n hosts: they should not have unrestricted outbound internet access or flat internal network access.

  7. Detection: monitor for unexpected outbound connections or process spawning from the n8n host process.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Social Engineering Agent RAG API AML.T0012 AML.T0025 AML.T0049 AML.T0050 AML.T0053 AML.T0072 AML.T0081 AML.T0083 AML.T0105

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.4 - AI system risk assessment A.6.2.6 - AI system security A.9.3 - AI system access control
NIST AI RMF
GOVERN 1.2 - Policies, processes, procedures, and practices across the organization GOVERN 6.2 - Contingency processes are in place MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MANAGE 2.4 - Mechanisms to sustain effectiveness of risk controls
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency LLM08:2025 - Excessive Agency LLM09:2025 - Misinformation

Frequently Asked Questions

What is CVE-2026-27495?

If your organization runs n8n for AI automation or agent workflows, patch immediately to versions 2.10.1, 2.9.3, or 1.123.22. Any authenticated user with workflow edit permissions can escape the JavaScript Task Runner sandbox and achieve full RCE on the n8n host in default internal runner mode. Given that n8n deployments typically hold API keys for AI services, database credentials, and internal system access, the blast radius extends well beyond the n8n process itself.

Is CVE-2026-27495 actively exploited?

No confirmed active exploitation of CVE-2026-27495 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-27495?

1. PATCH NOW: Upgrade to n8n 2.10.1, 2.9.3, or 1.123.22 immediately. No other fix fully remediates the risk. 2. Short-term if patching is blocked: restrict workflow creation/editing permissions to fully trusted users only via n8n's RBAC — remove this capability from service accounts and non-admin users. 3. Switch to external runner mode (N8N_RUNNERS_MODE=external) to contain blast radius to the runner process rather than the full host. 4. Audit n8n workflow change logs for suspicious JavaScript Code node modifications, especially those created by non-admin accounts. 5. Rotate all credentials stored in n8n (AI API keys, DB passwords, webhook secrets, OAuth tokens) if you suspect any window of exploitation — treat stored credentials as compromised until confirmed otherwise. 6. Network-segment n8n hosts: they should not have unrestricted outbound internet access or flat internal network access. 7. Detection: monitor for unexpected outbound connections or process spawning from the n8n host process.

What systems are affected by CVE-2026-27495?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation platforms, AI orchestration layers, multi-agent systems, LLM integration pipelines, RAG pipelines.

What is the CVSS score for CVE-2026-27495?

CVE-2026-27495 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.60%.

What is the AI security impact?

Affected AI Architectures

agent frameworksworkflow automation platformsAI orchestration layersmulti-agent systemsLLM integration pipelinesRAG pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration
AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Art. 15, Art.15
ISO 42001: A.6.1.4, A.6.2.6, A.9.3
NIST AI RMF: GOVERN 1.2, GOVERN 6.2, MANAGE 2.2, MANAGE 2.4
OWASP LLM Top 10: LLM07, LLM08, LLM08:2025, LLM09:2025

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could exploit a vulnerability in the JavaScript Task Runner sandbox to execute arbitrary code outside the sandbox boundary. On instances using internal Task Runners (default runner mode), this could result in full compromise of the n8n host. On instances using external Task Runners, the attacker might gain access to or impact other task executed on the Task Runner. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or use external runner mode (`N8N_RUNNERS_MODE=external`) to limit the blast radius. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a low-privileged n8n account — obtained via credential stuffing, phishing a developer, or compromising a service account used by CI/CD — navigates to the workflow editor. They create or modify a workflow containing a JavaScript Code node and craft a payload exploiting CWE-94 in the Task Runner sandbox to execute arbitrary OS commands. With internal runner mode (default), this immediately yields RCE on the n8n host. The attacker then dumps the n8n environment variables and database, extracting API keys for OpenAI/Anthropic, database connection strings, OAuth tokens, and webhook secrets stored as workflow credentials. They establish persistence via a reverse shell, then pivot laterally through the internal network using n8n's pre-authorized connections to internal APIs, cloud storage, and databases — effectively inheriting all trust relationships the automation platform held. The attack is particularly dangerous in AI-heavy environments where n8n orchestrates LLM calls, RAG pipelines, and multi-agent workflows, as full compromise of the orchestration layer means full visibility and control over the entire AI automation stack.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

Timeline

Published
February 25, 2026
Last Modified
March 4, 2026
First Seen
February 25, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
Back to Threat Feed