CVE-2026-27498 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

Any n8n deployment used as an AI workflow orchestrator is at risk of full host compromise via a low-privileged authenticated user. Patch immediately to 2.2.0 / 1.123.8 — if you can't patch, restrict workflow editing to a minimal set of fully trusted operators and blacklist the Read/Write Files node today. n8n commonly runs with broad network and filesystem access in AI pipeline environments, making RCE here a lateral-movement launchpad across your AI stack.

Risk Assessment

HIGH. CVSS 8.8 with network vector, low complexity, and only low privileges required collapses the bar for exploitation to any authenticated user with workflow permissions — a role routinely granted to developers, data engineers, and ops teams. No user interaction is required, meaning exploitation is fully automatable. AI/ML environments are particularly exposed because n8n is frequently deployed with elevated OS permissions to orchestrate model inference, data pipelines, and external API calls, giving a successful attacker privileged access to the host running sensitive AI workloads.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 69% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

PATCH

Upgrade n8n to version 2.2.0 (latest branch) or 1.123.8 (LTS branch) immediately.
WORKAROUND if patching delayed: Add n8n-nodes-base.readWriteFile to the NODES_EXCLUDE environment variable to disable the vulnerable node type.
ACCESS CONTROL

Audit and restrict workflow creation/editing permissions — treat this role as privileged. Remove it from generic developer/ops accounts.
ISOLATION

Run n8n in a container with read-only filesystem mounts where possible; limit network egress from the n8n host.
SECRETS HYGIENE

Rotate all API keys, model credentials, and database passwords stored in n8n workflow configurations post-incident if any unpatched instance was externally accessible.
DETECTION

Monitor for unexpected git process spawns from n8n process tree (git child of n8n or node), file writes to .git/config or git hook directories, and outbound shell connections from the n8n host.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Model Poisoning Code Execution Agent RAG API AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0085 - Data from AI Services AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0101 - Data Destruction via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System Art.15 - Accuracy, Robustness and Cybersecurity Art.9 - Risk Management System

ISO 42001

A.10.1 - AI System Lifecycle — Security in AI system development A.6.1 - Organizational roles and responsibilities A.6.2 - AI System Design and Development — Access Control A.9.3 - AI System Security and Resilience

NIST AI RMF

GOVERN 1.1 - Policies and procedures for AI risk management GOVERN 6.2 - Policies and Procedures for AI Risk Management MANAGE 2.2 - Mechanisms for managing AI risks are in place MANAGE 2.4 - Residual Risks Addressed — Mechanisms to Sustain AI System Integrity

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM06 - Excessive Agency LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-27498?

Any n8n deployment used as an AI workflow orchestrator is at risk of full host compromise via a low-privileged authenticated user. Patch immediately to 2.2.0 / 1.123.8 — if you can't patch, restrict workflow editing to a minimal set of fully trusted operators and blacklist the Read/Write Files node today. n8n commonly runs with broad network and filesystem access in AI pipeline environments, making RCE here a lateral-movement launchpad across your AI stack.

Is CVE-2026-27498 actively exploited?

No confirmed active exploitation of CVE-2026-27498 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-27498?

1. PATCH: Upgrade n8n to version 2.2.0 (latest branch) or 1.123.8 (LTS branch) immediately. 2. WORKAROUND if patching delayed: Add `n8n-nodes-base.readWriteFile` to the `NODES_EXCLUDE` environment variable to disable the vulnerable node type. 3. ACCESS CONTROL: Audit and restrict workflow creation/editing permissions — treat this role as privileged. Remove it from generic developer/ops accounts. 4. ISOLATION: Run n8n in a container with read-only filesystem mounts where possible; limit network egress from the n8n host. 5. SECRETS HYGIENE: Rotate all API keys, model credentials, and database passwords stored in n8n workflow configurations post-incident if any unpatched instance was externally accessible. 6. DETECTION: Monitor for unexpected git process spawns from n8n process tree (`git` child of `n8n` or `node`), file writes to `.git/config` or git hook directories, and outbound shell connections from the n8n host.

What systems are affected by CVE-2026-27498?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM workflow orchestration, RAG pipelines, Model serving infrastructure, Training data pipelines, No-code/low-code AI automation platforms.

What is the CVSS score for CVE-2026-27498?

CVE-2026-27498 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.59%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 2.2.0 and 1.123.8, an authenticated user with permission to create or modify workflows could chain the Read/Write Files from Disk node with git operations to achieve remote code execution. By writing to specific configuration files and then triggering a git operation, the attacker could execute arbitrary shell commands on the n8n host. The issue has been fixed in n8n versions 2.2.0 and 1.123.8. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Read/Write Files from Disk node by adding `n8n-nodes-base.readWriteFile` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a compromised developer account (or a malicious insider) logs into the n8n UI with standard workflow-editor permissions. They create a new workflow containing a Write File node that writes a malicious script to a git hook path (e.g., `.git/hooks/post-checkout`) or patches `.git/config` with a malicious `core.sshCommand` value. They then add a downstream node that triggers a git pull or git checkout operation on a repository the n8n process has access to. When the workflow runs, git executes the attacker-controlled hook, spawning a reverse shell or downloading a second-stage implant. From this foothold, the attacker pivots to exfiltrate LLM API keys, model weights, training datasets, and downstream database credentials embedded in other workflows — all without any elevated initial access.