CVE-2026-49444: n8n Python sandbox escape enables

Q: Is CVE-2026-49444 actively exploited?

No confirmed active exploitation of CVE-2026-49444 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-49444?

1. Patch immediately: upgrade n8n to 1.123.48 (v1 track), 2.21.8, or 2.22.4 (v2 track) or later. 2. Immediate workaround if patching is delayed: add 'n8n-nodes-base.code' to the NODES_EXCLUDE environment variable, or disable the Python Task Runner entirely in your n8n configuration. 3. Audit and restrict workflow editing permissions to fully trusted users only — treat this role as equivalent to shell access on the host. 4. Review container hardening for the n8n task runner: enforce seccomp profiles, read-only root filesystems, drop all unnecessary Linux capabilities, and never run in privileged mode. 5. Rotate any credentials (API keys, DB passwords, tokens) accessible from the n8n host if the exposure window was significant. 6. Detection: alert on unexpected child processes spawned from the task runner container and monitor for outbound network connections to non-whitelisted destinations from that container.

Q: What systems are affected by CVE-2026-49444?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration pipelines, workflow automation platforms, multi-step LLM pipelines.

Q: What is the CVSS score for CVE-2026-49444?

CVE-2026-49444 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 0.06%.

CISO Take

CVE-2026-49444 is a sandbox escape in n8n's Python Code Node that lets any authenticated user with workflow editing rights break out of the task runner container and execute arbitrary code on the underlying host. The CVSS scope change (S:C, score 8.5) signals cross-boundary impact — this is not contained to the application layer. While EPSS is low at 0.00064, the vulnerability sits in the top 80th percentile for exploitation likelihood, and n8n is increasingly deployed as the backbone of AI agent pipelines where workflow-editing access is broadly granted to developers and automation teams. Organizations should patch to n8n 1.123.48, 2.21.8, or 2.22.4 immediately; if a patching window is needed, disable the Python Code node via NODES_EXCLUDE or restrict workflow editing to fully trusted users only.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

High. The CVSS 8.5 with scope change (S:C) reflects container escape capability — the blast radius extends beyond n8n itself to the host and any secrets, credentials, or network access available there. The attack requires only low privileges (authenticated workflow editor — a common role in dev and ops teams), no user interaction, and low complexity. With 95 prior CVEs in the same package and an OpenSSF score of 6.5/10, n8n carries a documented history of security debt. No public exploit exists yet, but the clear vulnerability description lowers the barrier for independent exploit development significantly.

How does the attack unfold?

Initial Access

Attacker authenticates to n8n with a valid low-privilege account that has workflow creation or editing permissions, either legitimately held or obtained via credential theft.

AML.T0012

Malicious Tool Invocation

Attacker creates or modifies an n8n workflow containing a Python Code Node loaded with malicious code crafted to exploit the task runner's improper input validation.

AML.T0053

Container Escape

Malicious Python code executes within the task runner and exploits CWE-20 (Improper Input Validation) to break out of the container boundary and gain access to the underlying host OS.

AML.T0105

Credential Harvesting and Impact

Attacker reads host environment variables to harvest LLM API keys, database credentials, and pipeline secrets, then exfiltrates data or establishes persistent access to the AI infrastructure.

AML.T0025

Initial Access

Attacker authenticates to n8n with a valid low-privilege account that has workflow creation or editing permissions, either legitimately held or obtained via credential theft.

AML.T0012

Malicious Tool Invocation

Attacker creates or modifies an n8n workflow containing a Python Code Node loaded with malicious code crafted to exploit the task runner's improper input validation.

AML.T0053

Container Escape

Malicious Python code executes within the task runner and exploits CWE-20 (Improper Input Validation) to break out of the container boundary and gain access to the underlying host OS.

AML.T0105

Credential Harvesting and Impact

Attacker reads host environment variables to harvest LLM API keys, database credentials, and pipeline secrets, then exfiltrates data or establishes persistent access to the AI infrastructure.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.48	`1.123.48`
192.4K OpenSSF 6.5 Pushed 2d ago 51% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

8.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C High

I Low

A None

What should I do?

6 steps

Patch immediately: upgrade n8n to 1.123.48 (v1 track), 2.21.8, or 2.22.4 (v2 track) or later.
Immediate workaround if patching is delayed: add 'n8n-nodes-base.code' to the NODES_EXCLUDE environment variable, or disable the Python Task Runner entirely in your n8n configuration.
Audit and restrict workflow editing permissions to fully trusted users only — treat this role as equivalent to shell access on the host.
Review container hardening for the n8n task runner: enforce seccomp profiles, read-only root filesystems, drop all unnecessary Linux capabilities, and never run in privileged mode.
Rotate any credentials (API keys, DB passwords, tokens) accessible from the n8n host if the exposure window was significant.
Detection: alert on unexpected child processes spawned from the task runner container and monitor for outbound network connections to non-whitelisted destinations from that container.

How is it classified?

Code Execution Data Extraction Agent Framework Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI System Security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain and improve risk management

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-49444?

CVE-2026-49444 is a sandbox escape in n8n's Python Code Node that lets any authenticated user with workflow editing rights break out of the task runner container and execute arbitrary code on the underlying host. The CVSS scope change (S:C, score 8.5) signals cross-boundary impact — this is not contained to the application layer. While EPSS is low at 0.00064, the vulnerability sits in the top 80th percentile for exploitation likelihood, and n8n is increasingly deployed as the backbone of AI agent pipelines where workflow-editing access is broadly granted to developers and automation teams. Organizations should patch to n8n 1.123.48, 2.21.8, or 2.22.4 immediately; if a patching window is needed, disable the Python Code node via NODES_EXCLUDE or restrict workflow editing to fully trusted users only.

Is CVE-2026-49444 actively exploited?

No confirmed active exploitation of CVE-2026-49444 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-49444?

1. Patch immediately: upgrade n8n to 1.123.48 (v1 track), 2.21.8, or 2.22.4 (v2 track) or later. 2. Immediate workaround if patching is delayed: add 'n8n-nodes-base.code' to the NODES_EXCLUDE environment variable, or disable the Python Task Runner entirely in your n8n configuration. 3. Audit and restrict workflow editing permissions to fully trusted users only — treat this role as equivalent to shell access on the host. 4. Review container hardening for the n8n task runner: enforce seccomp profiles, read-only root filesystems, drop all unnecessary Linux capabilities, and never run in privileged mode. 5. Rotate any credentials (API keys, DB passwords, tokens) accessible from the n8n host if the exposure window was significant. 6. Detection: alert on unexpected child processes spawned from the task runner container and monitor for outbound network connections to non-whitelisted destinations from that container.

What systems are affected by CVE-2026-49444?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration pipelines, workflow automation platforms, multi-step LLM pipelines.

What is the CVSS score for CVE-2026-49444?

CVE-2026-49444 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 0.06%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI orchestration pipelinesworkflow automation platformsmulti-step LLM pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

## Impact An authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. ## Patches The issue has been fixed in n8n versions 1.123.48, 2.21.8, and 2.22.4. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Python Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable, or disable the Python Task Runner entirely. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An attacker with a legitimate n8n account — or credentials obtained via phishing or credential stuffing against a publicly exposed n8n instance — navigates to the workflow editor and creates a workflow containing a Python Code Node. They inject Python code that exploits improper input validation in the task runner sandbox to escape container isolation, for example via subprocess calls or OS-level primitives that bypass the sandbox boundary. Once on the host, the attacker reads environment variables to harvest LLM API keys and database credentials, exfiltrates the n8n database containing all workflow definitions and stored credentials, and establishes persistence via a reverse shell or cron job. In a typical AI agent deployment, this single foothold compromises the entire AI pipeline infrastructure including connected LLM endpoints, vector databases, and downstream APIs.

Weaknesses (CWE)

CWE-20 Improper Input Validation Primary

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

[Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
[Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.