AI Threat Alert

CVE-2026-27577: n8n: Code Injection enables RCE

CRITICAL
Published February 25, 2026
CISO Take

CVE-2026-27577 is a critical RCE in n8n's expression evaluation engine (CVSS 9.9) that allows any authenticated user with workflow edit rights to execute arbitrary OS commands on the n8n host. If your AI agent infrastructure or automation pipelines run on n8n, patch immediately to 2.10.1, 2.9.3, or 1.123.22 — no exceptions. Exposure is especially severe for organizations using n8n to orchestrate LLM workflows, as compromising the automation host yields full control over agent tool invocations, stored AI API keys, and all downstream systems.

What is the risk?

CRITICAL. CVSS 9.9 reflects network reachability, low attack complexity, low privilege requirement, and scope change to the underlying host (S:C). The 'PR:L' vector means any authenticated n8n user — including trial accounts, external contractors, or compromised credentials — can trigger RCE without further escalation. Blast radius extends well beyond n8n itself: the host typically holds AI API keys (OpenAI, Anthropic, etc.), database credentials, webhook secrets, and network access to internal services. This is a follow-on to CVE-2025-68613, indicating the expression evaluation engine has systemic sandbox evasion weaknesses, not a one-off bug.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →

How severe is it?

CVSS 3.1
9.9 / 10
EPSS
10.2%
chance of exploitation in 30 days
Higher than 95% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Possible
Exploitation: LOW
Sophistication
Advanced
Exploitation Confidence
low
EPSS exploit prediction: 10%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I High
A High

What should I do?

6 steps

  1. PATCH NOW

    Upgrade to n8n 2.10.1, 2.9.3, or 1.123.22 — these fix all known expression injection chains including the predecessor CVE-2025-68613.

  2. AUDIT PERMISSIONS IMMEDIATELY

    Restrict workflow create/edit rights to fully trusted users only; revoke access from contractors, test accounts, and any non-essential identities.

  3. ROTATE ALL CREDENTIALS

    After patching, rotate every credential stored in n8n (AI API keys, database passwords, webhook secrets, OAuth tokens).

  4. HARDEN RUNTIME

    Run n8n in a container with dropped Linux capabilities, read-only root filesystem where possible, and egress network filtering limited to required endpoints only.

  5. DETECT EXPLOITATION

    Enable process-level auditing (auditd or eBPF) on the n8n host to detect unexpected child process spawning from the n8n process. Review n8n audit logs for unusual expression patterns or workflow modifications by non-admin users.

  6. VULNERABILITY SCAN

    If patching is delayed, deploy a WAF rule blocking known expression injection patterns as a temporary (not sufficient) control.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Model Poisoning Code Execution Social Engineering Agent RAG API AML.T0012 AML.T0049 AML.T0050 AML.T0053 AML.T0055 AML.T0072 AML.T0081 AML.T0083 AML.T0105

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2.5 - AI system security testing A.6.2.6 - AI system security — vulnerability management A.8.4 - Access control to AI systems A.9.3 - AI supply chain security
NIST AI RMF
GOVERN 1.2 - Policies and procedures for AI risk management GOVERN 1.7 - Processes and procedures are in place for decommissioning AI systems MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MANAGE 3.1 - Risks are prioritized based on impact
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-27577?

CVE-2026-27577 is a critical RCE in n8n's expression evaluation engine (CVSS 9.9) that allows any authenticated user with workflow edit rights to execute arbitrary OS commands on the n8n host. If your AI agent infrastructure or automation pipelines run on n8n, patch immediately to 2.10.1, 2.9.3, or 1.123.22 — no exceptions. Exposure is especially severe for organizations using n8n to orchestrate LLM workflows, as compromising the automation host yields full control over agent tool invocations, stored AI API keys, and all downstream systems.

Is CVE-2026-27577 actively exploited?

No confirmed active exploitation of CVE-2026-27577 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-27577?

1. PATCH NOW: Upgrade to n8n 2.10.1, 2.9.3, or 1.123.22 — these fix all known expression injection chains including the predecessor CVE-2025-68613. 2. AUDIT PERMISSIONS IMMEDIATELY: Restrict workflow create/edit rights to fully trusted users only; revoke access from contractors, test accounts, and any non-essential identities. 3. ROTATE ALL CREDENTIALS: After patching, rotate every credential stored in n8n (AI API keys, database passwords, webhook secrets, OAuth tokens). 4. HARDEN RUNTIME: Run n8n in a container with dropped Linux capabilities, read-only root filesystem where possible, and egress network filtering limited to required endpoints only. 5. DETECT EXPLOITATION: Enable process-level auditing (auditd or eBPF) on the n8n host to detect unexpected child process spawning from the n8n process. Review n8n audit logs for unusual expression patterns or workflow modifications by non-admin users. 6. VULNERABILITY SCAN: If patching is delayed, deploy a WAF rule blocking known expression injection patterns as a temporary (not sufficient) control.

What systems are affected by CVE-2026-27577?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM workflow orchestration platforms, agentic AI automation infrastructure, AI tool integration layers, enterprise AI pipeline automation (n8n-based), multi-model AI workflow systems.

What is the CVSS score for CVE-2026-27577?

CVE-2026-27577 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 10.16%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksLLM workflow orchestration platformsagentic AI automation infrastructureAI tool integration layersenterprise AI pipeline automation (n8n-based)multi-model AI workflow systems

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0055 Unsecured Credentials
AML.T0072 Reverse Shell
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration
AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.2.5, A.6.2.6, A.8.4, A.9.3
NIST AI RMF: GOVERN 1.2, GOVERN 1.7, MANAGE 2.2, MANAGE 3.1
OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An adversary compromises a low-privilege n8n account via credential stuffing, phishing, or an insider threat. They create or modify a workflow and embed a crafted expression in a workflow parameter — for example, inside a Code node or a data transformation field — that calls the host's command execution interface to spawn a reverse shell. Because expression evaluation runs under the n8n process's OS privileges without adequate sandboxing, the attacker immediately gains code execution on the host. From that foothold, they extract environment variables and n8n's credential store to harvest all AI API keys and service credentials, then pivot: they can issue malicious LLM API calls, exfiltrate connected RAG databases, inject poisoned workflow steps that persist into production AI automation pipelines trusted by other users and downstream systems, or use the n8n host as a pivot into the internal network.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

Timeline

Published
February 25, 2026
Last Modified
March 4, 2026
First Seen
February 25, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27495 9.9

n8n: Code Injection enables RCE

Same package: n8n
Back to Threat Feed