CVE-2026-27577 — CRITICAL (CVSS 9.9) AI Security Vulnerability

CISO Take

CVE-2026-27577 is a critical RCE in n8n's expression evaluation engine (CVSS 9.9) that allows any authenticated user with workflow edit rights to execute arbitrary OS commands on the n8n host. If your AI agent infrastructure or automation pipelines run on n8n, patch immediately to 2.10.1, 2.9.3, or 1.123.22 — no exceptions. Exposure is especially severe for organizations using n8n to orchestrate LLM workflows, as compromising the automation host yields full control over agent tool invocations, stored AI API keys, and all downstream systems.

Risk Assessment

CRITICAL. CVSS 9.9 reflects network reachability, low attack complexity, low privilege requirement, and scope change to the underlying host (S:C). The 'PR:L' vector means any authenticated n8n user — including trial accounts, external contractors, or compromised credentials — can trigger RCE without further escalation. Blast radius extends well beyond n8n itself: the host typically holds AI API keys (OpenAI, Anthropic, etc.), database credentials, webhook secrets, and network access to internal services. This is a follow-on to CVE-2025-68613, indicating the expression evaluation engine has systemic sandbox evasion weaknesses, not a one-off bug.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
187.3K OpenSSF 6.1 16 dependents Pushed today 40% patched ~3d to patch Full package profile →
n8n	npm	—	No patch
187.3K OpenSSF 6.1 16 dependents Pushed today 40% patched ~3d to patch Full package profile →

Severity & Risk

CVSS 3.1

9.9 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 39% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I High

A High

Recommended Action

6 steps

PATCH NOW

Upgrade to n8n 2.10.1, 2.9.3, or 1.123.22 — these fix all known expression injection chains including the predecessor CVE-2025-68613.
AUDIT PERMISSIONS IMMEDIATELY

Restrict workflow create/edit rights to fully trusted users only; revoke access from contractors, test accounts, and any non-essential identities.
ROTATE ALL CREDENTIALS

After patching, rotate every credential stored in n8n (AI API keys, database passwords, webhook secrets, OAuth tokens).
HARDEN RUNTIME

Run n8n in a container with dropped Linux capabilities, read-only root filesystem where possible, and egress network filtering limited to required endpoints only.
DETECT EXPLOITATION

Enable process-level auditing (auditd or eBPF) on the n8n host to detect unexpected child process spawning from the n8n process. Review n8n audit logs for unusual expression patterns or workflow modifications by non-admin users.
VULNERABILITY SCAN

If patching is delayed, deploy a WAF rule blocking known expression injection patterns as a temporary (not sufficient) control.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Model Poisoning Code Execution Social Engineering Agent RAG API AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.5 - AI system security testing A.6.2.6 - AI system security — vulnerability management A.8.4 - Access control to AI systems A.9.3 - AI supply chain security

NIST AI RMF

GOVERN 1.2 - Policies and procedures for AI risk management GOVERN 1.7 - Processes and procedures are in place for decommissioning AI systems MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MANAGE 3.1 - Risks are prioritized based on impact

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-27577?

CVE-2026-27577 is a critical RCE in n8n's expression evaluation engine (CVSS 9.9) that allows any authenticated user with workflow edit rights to execute arbitrary OS commands on the n8n host. If your AI agent infrastructure or automation pipelines run on n8n, patch immediately to 2.10.1, 2.9.3, or 1.123.22 — no exceptions. Exposure is especially severe for organizations using n8n to orchestrate LLM workflows, as compromising the automation host yields full control over agent tool invocations, stored AI API keys, and all downstream systems.

Is CVE-2026-27577 actively exploited?

No confirmed active exploitation of CVE-2026-27577 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-27577?

1. PATCH NOW: Upgrade to n8n 2.10.1, 2.9.3, or 1.123.22 — these fix all known expression injection chains including the predecessor CVE-2025-68613. 2. AUDIT PERMISSIONS IMMEDIATELY: Restrict workflow create/edit rights to fully trusted users only; revoke access from contractors, test accounts, and any non-essential identities. 3. ROTATE ALL CREDENTIALS: After patching, rotate every credential stored in n8n (AI API keys, database passwords, webhook secrets, OAuth tokens). 4. HARDEN RUNTIME: Run n8n in a container with dropped Linux capabilities, read-only root filesystem where possible, and egress network filtering limited to required endpoints only. 5. DETECT EXPLOITATION: Enable process-level auditing (auditd or eBPF) on the n8n host to detect unexpected child process spawning from the n8n process. Review n8n audit logs for unusual expression patterns or workflow modifications by non-admin users. 6. VULNERABILITY SCAN: If patching is delayed, deploy a WAF rule blocking known expression injection patterns as a temporary (not sufficient) control.

What systems are affected by CVE-2026-27577?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM workflow orchestration platforms, agentic AI automation infrastructure, AI tool integration layers, enterprise AI pipeline automation (n8n-based), multi-model AI workflow systems.

What is the CVSS score for CVE-2026-27577?

CVE-2026-27577 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.18%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An adversary compromises a low-privilege n8n account via credential stuffing, phishing, or an insider threat. They create or modify a workflow and embed a crafted expression in a workflow parameter — for example, inside a Code node or a data transformation field — that calls the host's command execution interface to spawn a reverse shell. Because expression evaluation runs under the n8n process's OS privileges without adequate sandboxing, the attacker immediately gains code execution on the host. From that foothold, they extract environment variables and n8n's credential store to harvest all AI API keys and service credentials, then pivot: they can issue malicious LLM API calls, exfiltrate connected RAG databases, inject poisoned workflow steps that persist into production AI automation pipelines trusted by other users and downstream systems, or use the n8n host as a pivot into the internal network.