CVE-2026-42234: n8n Python sandbox escape enables

CISO Take

n8n's Python Code Node fails to properly isolate user-supplied code, allowing any authenticated user with workflow creation or modification permissions to escape the task runner sandbox and execute arbitrary commands on the underlying container host. This matters because n8n sits at the center of AI automation stacks — it commonly holds API keys for OpenAI, Anthropic, and other LLM providers, plus credentials for databases, webhooks, and internal services — meaning a container escape translates directly to full credential compromise across your AI toolchain. While no public exploit currently exists and it's not in CISA KEV, EPSS places this in the top 78th percentile for exploitation likelihood, and with 75 prior CVEs in the same package the attack surface is well understood by researchers. Patch immediately to n8n 1.123.32 (v1 branch) or 2.17.4/2.18.1 (v2 branch); if patching is delayed, disable the Python Task Runner in instance configuration and audit who holds workflow editor permissions.

Sources: NVD GitHub Advisory EPSS OpenSSF ATLAS

What is the risk?

HIGH. Authenticated code injection with container escape is a critical primitive in AI automation environments. The authentication prerequisite reduces opportunistic exposure, but enterprise n8n deployments routinely grant workflow creation rights to analysts, developers, and ops teams — broadening the effective attacker pool to any insider or account takeover. The Python Task Runner requirement means only a subset of deployments are vulnerable, but those that use it for custom AI logic are the most security-sensitive. Container escape elevates blast radius from logical isolation to full node compromise, with n8n's credential store as the primary post-exploitation target.

How does the attack unfold?

Authenticated Access

Attacker uses valid n8n credentials (insider, compromised account, or weak password) to access the workflow editor with Code Node permissions.

AML.T0012

Sandbox Escape

Attacker inserts malicious Python code into a Code Node that exploits improper sandbox controls to break out of the task runner container's process isolation.

AML.T0105

Credential Harvest

From the compromised container, attacker reads environment variables and n8n credential store to extract LLM API keys, database passwords, and service tokens.

AML.T0083

AI Supply Chain Pivot

Using harvested LLM API keys, attacker accesses connected AI services (OpenAI, Anthropic, etc.) to exfiltrate data, inject malicious prompts, or abuse billing resources.

AML.T0010

Authenticated Access

Attacker uses valid n8n credentials (insider, compromised account, or weak password) to access the workflow editor with Code Node permissions.

AML.T0012

Sandbox Escape

Attacker inserts malicious Python code into a Code Node that exploits improper sandbox controls to break out of the task runner container's process isolation.

AML.T0105

Credential Harvest

From the compromised container, attacker reads environment variables and n8n credential store to extract LLM API keys, database passwords, and service tokens.

AML.T0083

AI Supply Chain Pivot

Using harvested LLM API keys, attacker accesses connected AI services (OpenAI, Anthropic, etc.) to exfiltrate data, inject malicious prompts, or abuse billing resources.

AML.T0010

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.32	`1.123.32`
193.4K OpenSSF 6.6 Pushed 4d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.4%

chance of exploitation in 30 days

Higher than 29% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

PATCH

Upgrade to n8n >= 1.123.32 (v1) or >= 2.17.4 / 2.18.1 (v2) immediately.
WORKAROUND

If patching is not immediately feasible, disable the Python Task Runner in n8n configuration (EXECUTIONS_PROCESS=main or remove Python runner enablement).
ACCESS CONTROL

Audit and restrict workflow creation/modification permissions — apply least-privilege; only trusted users should be able to add or edit Code Nodes.
DETECT

Review existing Python Code Nodes for subprocess calls, os.system, exec(), __import__('os'), or network socket operations that indicate sandbox escape attempts.
HARDEN

Ensure the task runner container runs with a non-root user, no privileged flag, and restricted Linux capabilities (drop CAP_SYS_ADMIN, CAP_NET_ADMIN).
ROTATE

Proactively rotate any LLM API keys, database credentials, and service tokens stored in n8n credentials after confirming exposure window.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Data Extraction Agent Framework Plugin AML.T0012 - Valid Accounts AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.8.5 - AI System Security

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain the value of AI systems over time

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-42234?

n8n's Python Code Node fails to properly isolate user-supplied code, allowing any authenticated user with workflow creation or modification permissions to escape the task runner sandbox and execute arbitrary commands on the underlying container host. This matters because n8n sits at the center of AI automation stacks — it commonly holds API keys for OpenAI, Anthropic, and other LLM providers, plus credentials for databases, webhooks, and internal services — meaning a container escape translates directly to full credential compromise across your AI toolchain. While no public exploit currently exists and it's not in CISA KEV, EPSS places this in the top 78th percentile for exploitation likelihood, and with 75 prior CVEs in the same package the attack surface is well understood by researchers. Patch immediately to n8n 1.123.32 (v1 branch) or 2.17.4/2.18.1 (v2 branch); if patching is delayed, disable the Python Task Runner in instance configuration and audit who holds workflow editor permissions.

Is CVE-2026-42234 actively exploited?

No confirmed active exploitation of CVE-2026-42234 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42234?

1. PATCH: Upgrade to n8n >= 1.123.32 (v1) or >= 2.17.4 / 2.18.1 (v2) immediately. 2. WORKAROUND: If patching is not immediately feasible, disable the Python Task Runner in n8n configuration (`EXECUTIONS_PROCESS=main` or remove Python runner enablement). 3. ACCESS CONTROL: Audit and restrict workflow creation/modification permissions — apply least-privilege; only trusted users should be able to add or edit Code Nodes. 4. DETECT: Review existing Python Code Nodes for subprocess calls, os.system, exec(), __import__('os'), or network socket operations that indicate sandbox escape attempts. 5. HARDEN: Ensure the task runner container runs with a non-root user, no privileged flag, and restricted Linux capabilities (drop CAP_SYS_ADMIN, CAP_NET_ADMIN). 6. ROTATE: Proactively rotate any LLM API keys, database credentials, and service tokens stored in n8n credentials after confirming exposure window.

What systems are affected by CVE-2026-42234?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, LLM orchestration pipelines, Workflow automation for AI, Multi-step AI agent execution, Data transformation for ML pipelines.

What is the CVSS score for CVE-2026-42234?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksLLM orchestration pipelinesWorkflow automation for AIMulti-step AI agent executionData transformation for ML pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0083 Credentials from AI Agent Configuration

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.8.5

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Exploitation Scenario

An attacker with a compromised n8n editor account — or a malicious insider — navigates to an existing workflow or creates a new one containing a Python Code Node. They insert Python code that exploits the sandbox escape (e.g., via ctypes, subprocess with namespace tricks, or direct syscall invocation) to break out of the task runner's process isolation. Once on the container, they enumerate environment variables to harvest API keys for OpenAI, Anthropic, or other LLM providers stored in n8n's runtime environment, then use those credentials to exfiltrate training data, inject malicious prompts into production LLM pipelines, or establish persistence by modifying other workflows. In a cloud-hosted n8n deployment, the container's IAM role or cloud metadata endpoint becomes an additional lateral movement vector.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.