CVE-2026-27498: n8n Code Injection enables RCE

CISO Take

Any n8n deployment used as an AI workflow orchestrator is at risk of full host compromise via a low-privileged authenticated user. Patch immediately to 2.2.0 / 1.123.8 — if you can't patch, restrict workflow editing to a minimal set of fully trusted operators and blacklist the Read/Write Files node today. n8n commonly runs with broad network and filesystem access in AI pipeline environments, making RCE here a lateral-movement launchpad across your AI stack.

What is the risk?

HIGH. CVSS 8.8 with network vector, low complexity, and only low privileges required collapses the bar for exploitation to any authenticated user with workflow permissions — a role routinely granted to developers, data engineers, and ops teams. No user interaction is required, meaning exploitation is fully automatable. AI/ML environments are particularly exposed because n8n is frequently deployed with elevated OS permissions to orchestrate model inference, data pipelines, and external API calls, giving a successful attacker privileged access to the host running sensitive AI workloads.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
193.4K OpenSSF 6.6 Pushed 3d ago 54% patched ~7d to patch Full package profile →
n8n	npm	—	No patch
193.4K OpenSSF 6.6 Pushed 3d ago 54% patched ~7d to patch Full package profile →

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.7%

chance of exploitation in 30 days

Higher than 49% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade n8n to version 2.2.0 (latest branch) or 1.123.8 (LTS branch) immediately.
WORKAROUND if patching delayed: Add n8n-nodes-base.readWriteFile to the NODES_EXCLUDE environment variable to disable the vulnerable node type.
ACCESS CONTROL

Audit and restrict workflow creation/editing permissions — treat this role as privileged. Remove it from generic developer/ops accounts.
ISOLATION

Run n8n in a container with read-only filesystem mounts where possible; limit network egress from the n8n host.
SECRETS HYGIENE

Rotate all API keys, model credentials, and database passwords stored in n8n workflow configurations post-incident if any unpatched instance was externally accessible.
DETECTION

Monitor for unexpected git process spawns from n8n process tree (git child of n8n or node), file writes to .git/config or git hook directories, and outbound shell connections from the n8n host.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Model Poisoning Code Execution Agent RAG API AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0085 - Data from AI Services AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0101 - Data Destruction via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System Art.15 - Accuracy, Robustness and Cybersecurity Art.9 - Risk Management System

ISO 42001

A.10.1 - AI System Lifecycle — Security in AI system development A.6.1 - Organizational roles and responsibilities A.6.2 - AI System Design and Development — Access Control A.9.3 - AI System Security and Resilience

NIST AI RMF

GOVERN 1.1 - Policies and procedures for AI risk management GOVERN 6.2 - Policies and Procedures for AI Risk Management MANAGE 2.2 - Mechanisms for managing AI risks are in place MANAGE 2.4 - Residual Risks Addressed — Mechanisms to Sustain AI System Integrity

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM06 - Excessive Agency LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-27498?

Any n8n deployment used as an AI workflow orchestrator is at risk of full host compromise via a low-privileged authenticated user. Patch immediately to 2.2.0 / 1.123.8 — if you can't patch, restrict workflow editing to a minimal set of fully trusted operators and blacklist the Read/Write Files node today. n8n commonly runs with broad network and filesystem access in AI pipeline environments, making RCE here a lateral-movement launchpad across your AI stack.

Is CVE-2026-27498 actively exploited?

No confirmed active exploitation of CVE-2026-27498 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-27498?

1. PATCH: Upgrade n8n to version 2.2.0 (latest branch) or 1.123.8 (LTS branch) immediately. 2. WORKAROUND if patching delayed: Add `n8n-nodes-base.readWriteFile` to the `NODES_EXCLUDE` environment variable to disable the vulnerable node type. 3. ACCESS CONTROL: Audit and restrict workflow creation/editing permissions — treat this role as privileged. Remove it from generic developer/ops accounts. 4. ISOLATION: Run n8n in a container with read-only filesystem mounts where possible; limit network egress from the n8n host. 5. SECRETS HYGIENE: Rotate all API keys, model credentials, and database passwords stored in n8n workflow configurations post-incident if any unpatched instance was externally accessible. 6. DETECTION: Monitor for unexpected git process spawns from n8n process tree (`git` child of `n8n` or `node`), file writes to `.git/config` or git hook directories, and outbound shell connections from the n8n host.

What systems are affected by CVE-2026-27498?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM workflow orchestration, RAG pipelines, Model serving infrastructure, Training data pipelines, No-code/low-code AI automation platforms.

What is the CVSS score for CVE-2026-27498?

CVE-2026-27498 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.72%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksLLM workflow orchestrationRAG pipelinesModel serving infrastructureTraining data pipelinesNo-code/low-code AI automation platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0072 Reverse Shell

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

AML.T0085 Data from AI Services

AML.T0086 Exfiltration via AI Agent Tool Invocation

AML.T0101 Data Destruction via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9, Art.15, Art.9

ISO 42001: A.10.1, A.6.1, A.6.2, A.9.3

NIST AI RMF: GOVERN 1.1, GOVERN 6.2, MANAGE 2.2, MANAGE 2.4

OWASP LLM Top 10: LLM03, LLM06, LLM07, LLM08

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 2.2.0 and 1.123.8, an authenticated user with permission to create or modify workflows could chain the Read/Write Files from Disk node with git operations to achieve remote code execution. By writing to specific configuration files and then triggering a git operation, the attacker could execute arbitrary shell commands on the n8n host. The issue has been fixed in n8n versions 2.2.0 and 1.123.8. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Read/Write Files from Disk node by adding `n8n-nodes-base.readWriteFile` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a compromised developer account (or a malicious insider) logs into the n8n UI with standard workflow-editor permissions. They create a new workflow containing a Write File node that writes a malicious script to a git hook path (e.g., `.git/hooks/post-checkout`) or patches `.git/config` with a malicious `core.sshCommand` value. They then add a downstream node that triggers a git pull or git checkout operation on a repository the n8n process has access to. When the workflow runs, git executes the attacker-controlled hook, spawning a reverse shell or downloading a second-stage implant. From this foothold, the attacker pivots to exfiltrate LLM API keys, model weights, training datasets, and downstream database credentials embedded in other workflows — all without any elevated initial access.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.