CVE-2026-27497 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

CVE-2026-27497 is a high-severity RCE in n8n, one of the most widely used AI workflow orchestration platforms. Any authenticated user with workflow editing rights can execute arbitrary code on the n8n server, gaining full control of your AI automation infrastructure and all stored credentials. Patch to 2.10.1/2.9.3/1.123.22 immediately — and treat every n8n instance as potentially compromised until you do.

Risk Assessment

HIGH. CVSS 8.8 with network-accessible vector, low complexity, low privileges required, no user interaction. n8n deployments are typically wired to LLM APIs, vector databases, SaaS platforms, and internal systems — making the blast radius exceptionally wide. The dual CWE-89 (SQLi) and CWE-94 (code injection) create multiple exploitation paths within the same node. Insider threat surface is material: any developer or analyst with workflow access is a potential adversary, and the attack blends into legitimate workflow execution logs.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 23% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

PATCH IMMEDIATELY

Upgrade to n8n 2.10.1, 2.9.3, or 1.123.22.
TEMPORARY WORKAROUND (if patching is delayed): Add 'n8n-nodes-base.merge' to the NODES_EXCLUDE environment variable to disable the vulnerable node.
RESTRICT PERMISSIONS

Treat workflow creation/editing as an administrative privilege — lock it down to fully trusted users only.
AUDIT EXISTING WORKFLOWS

Review all workflows for Merge nodes with suspicious SQL payloads before and after patching.
ROTATE CREDENTIALS

After patching, rotate all API keys and service credentials stored in n8n — LLM provider keys, database credentials, cloud tokens.
DETECTION

Monitor for unexpected process spawns, file writes outside the n8n data directory, and anomalous outbound connections from the n8n process. Alert on Merge node executions containing SQL-like payloads.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Model Poisoning Code Execution Agent RAG API AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0099 - AI Agent Tool Data Poisoning

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.5 - AI system security and safety risks A.8.4 - AI system security A.9.3 - Control of AI system inputs A.9.4 - Access control for AI systems

NIST AI RMF

GOVERN 1.2 - Accountability for AI risk management GOVERN-1.4 - Organizational policies for AI risk MANAGE 2.2 - Mechanisms to respond to identified risks MANAGE-2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM07:2023 - Insecure Plugin Design LLM07:2025 - System Prompt Leakage LLM08:2023 - Excessive Agency LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-27497?

CVE-2026-27497 is a high-severity RCE in n8n, one of the most widely used AI workflow orchestration platforms. Any authenticated user with workflow editing rights can execute arbitrary code on the n8n server, gaining full control of your AI automation infrastructure and all stored credentials. Patch to 2.10.1/2.9.3/1.123.22 immediately — and treat every n8n instance as potentially compromised until you do.

Is CVE-2026-27497 actively exploited?

No confirmed active exploitation of CVE-2026-27497 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-27497?

1. PATCH IMMEDIATELY: Upgrade to n8n 2.10.1, 2.9.3, or 1.123.22. 2. TEMPORARY WORKAROUND (if patching is delayed): Add 'n8n-nodes-base.merge' to the NODES_EXCLUDE environment variable to disable the vulnerable node. 3. RESTRICT PERMISSIONS: Treat workflow creation/editing as an administrative privilege — lock it down to fully trusted users only. 4. AUDIT EXISTING WORKFLOWS: Review all workflows for Merge nodes with suspicious SQL payloads before and after patching. 5. ROTATE CREDENTIALS: After patching, rotate all API keys and service credentials stored in n8n — LLM provider keys, database credentials, cloud tokens. 6. DETECTION: Monitor for unexpected process spawns, file writes outside the n8n data directory, and anomalous outbound connections from the n8n process. Alert on Merge node executions containing SQL-like payloads.

What systems are affected by CVE-2026-27497?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow orchestration platforms, RAG pipelines, LLM integration layers, multi-agent systems, AI automation pipelines.

What is the CVSS score for CVE-2026-27497?

CVE-2026-27497 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.08%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the n8n server. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An insider or compromised developer account with workflow editing rights in n8n creates a new workflow containing a Merge node in SQL query mode. The attacker crafts a payload exploiting CWE-89/CWE-94 to achieve server-side code execution — writing a web shell or spawning a reverse shell. Once on the server, they harvest all n8n-stored credentials: LLM API keys (OpenAI, Anthropic), vector database connections, cloud provider tokens, internal database credentials. These are used to pivot: querying LLMs with exfiltrated proprietary data, poisoning RAG databases, or deploying rogue AI agent workflows that persist under legitimate service accounts. The attack is inherently stealthy because workflow execution logs it as normal n8n activity.