GHSA-jwm3-qcfw-c5pp: n8n AST bypass leaks env vars

Q: Is GHSA-jwm3-qcfw-c5pp actively exploited?

No confirmed active exploitation of GHSA-jwm3-qcfw-c5pp has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-jwm3-qcfw-c5pp?

1. Upgrade to n8n 2.25.7 (1.x branch) or 2.26.2 (2.x branch) as the primary remediation. 2. If immediate upgrade is not feasible: add 'n8n-nodes-base.code' to the NODES_EXCLUDE environment variable to disable the Python Code node entirely, or disable the Python Task Runner. 3. Set N8N_BLOCK_RUNNER_ENV_ACCESS=true as a defense-in-depth measure even post-patch. 4. Audit and restrict workflow creation and editing permissions to only fully trusted users. 5. Rotate any API keys, database credentials, and secrets stored in the n8n process environment on affected instances as a precautionary measure. 6. Review existing workflow definitions for unexpected or unauthorized Python Code nodes that may have been introduced by a malicious insider.

Q: What systems are affected by GHSA-jwm3-qcfw-c5pp?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration frameworks, LLM workflow automation pipelines, Multi-model AI agent pipelines, RAG pipeline orchestration layers, Self-hosted automation backends.

Q: What is the CVSS score for GHSA-jwm3-qcfw-c5pp?

GHSA-jwm3-qcfw-c5pp has a CVSS v3.1 base score of 5.0 (MEDIUM).

CISO Take

An authenticated n8n user with workflow creation or editing permissions can craft Python Code node input that bypasses the AST security validator, gaining access to the task executor module namespace — and on self-hosted instances where N8N_BLOCK_RUNNER_ENV_ACCESS is not explicitly hardened, this translates directly to environment variable disclosure. n8n is pervasive in AI agent orchestration pipelines and typically carries API keys for OpenAI, Anthropic, and other services alongside database credentials as process-level env vars, meaning the practical blast radius far exceeds what the CVSS 5.0 score suggests. No public exploit or active exploitation exists, but the low barrier to entry — any authenticated workflow editor — against a scope-changed CVSS vector (S:C) makes this a credible insider or compromised-account risk in any self-hosted deployment. Upgrade to n8n 2.25.7 or 2.26.2 immediately; if upgrading is blocked, exclude the Python Code node via NODES_EXCLUDE, disable the Python Task Runner, restrict workflow editing to fully trusted users, and rotate all credentials accessible to the n8n process.

Sources: GitHub Advisory ATLAS OpenSSF

What is the risk?

Medium severity by CVSS (5.0) but with materially elevated practical risk in AI/ML pipeline contexts. The scope change (S:C) in the CVSS vector signals impact beyond the vulnerable component. Exploitation requires authenticated access with workflow creation or editing privileges, limiting external attack surface to insiders or accounts with stolen credentials. However, n8n deployments routinely hold highly sensitive environment variables — LLM API keys, database connection strings, webhook secrets — elevating real-world impact well above the CVSS score implies. No active exploitation, no KEV listing, and EPSS data is not yet available. OpenSSF Scorecard of 6.5/10 and 105 prior CVEs in this package indicate moderate but not strong security hygiene. Risk is highest for self-hosted enterprise deployments with broad workflow editing permissions.

How does the attack unfold?

Initial Access

Attacker authenticates to n8n with a legitimate or compromised account that holds workflow creation or editing permissions.

AML.T0012

Sandbox Bypass

Attacker creates a workflow with a Python Code node and supplies crafted Python code that evades the AST security validator, gaining foothold in the task executor module namespace.

AML.T0050

Credential Harvesting

With access to the task executor namespace, attacker enumerates process environment variables to extract LLM API keys, database credentials, and other secrets.

AML.T0055

Impact / Lateral Movement

Harvested credentials are exfiltrated or used to pivot into connected AI services (LLM APIs, vector databases, data pipelines), extending the breach beyond the n8n instance.

AML.T0025

Initial Access

Attacker authenticates to n8n with a legitimate or compromised account that holds workflow creation or editing permissions.

AML.T0012

Sandbox Bypass

Attacker creates a workflow with a Python Code node and supplies crafted Python code that evades the AST security validator, gaining foothold in the task executor module namespace.

AML.T0050

Credential Harvesting

With access to the task executor namespace, attacker enumerates process environment variables to extract LLM API keys, database credentials, and other secrets.

AML.T0055

Impact / Lateral Movement

Harvested credentials are exfiltrated or used to pivot into connected AI services (LLM APIs, vector databases, data pipelines), extending the breach beyond the n8n instance.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	>= 2.26.0, < 2.26.2	`2.26.2`
192.4K OpenSSF 6.5 Pushed 3d ago 55% patched ~2d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

5.0 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C Low

I None

A None

What should I do?

6 steps

Upgrade to n8n 2.25.7 (1.x branch) or 2.26.2 (2.x branch) as the primary remediation.
If immediate upgrade is not feasible: add 'n8n-nodes-base.code' to the NODES_EXCLUDE environment variable to disable the Python Code node entirely, or disable the Python Task Runner.
Set N8N_BLOCK_RUNNER_ENV_ACCESS=true as a defense-in-depth measure even post-patch.
Audit and restrict workflow creation and editing permissions to only fully trusted users.
Rotate any API keys, database credentials, and secrets stored in the n8n process environment on affected instances as a precautionary measure.
Review existing workflow definitions for unexpected or unauthorized Python Code nodes that may have been introduced by a malicious insider.

How is it classified?

Data Leakage Code Execution Auth Bypass Agent Framework AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI System Access Control A.9.4 - Security of AI System Inputs

NIST AI RMF

GOVERN 1.7 - Processes and procedures for AI risk management

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-jwm3-qcfw-c5pp?

An authenticated n8n user with workflow creation or editing permissions can craft Python Code node input that bypasses the AST security validator, gaining access to the task executor module namespace — and on self-hosted instances where N8N_BLOCK_RUNNER_ENV_ACCESS is not explicitly hardened, this translates directly to environment variable disclosure. n8n is pervasive in AI agent orchestration pipelines and typically carries API keys for OpenAI, Anthropic, and other services alongside database credentials as process-level env vars, meaning the practical blast radius far exceeds what the CVSS 5.0 score suggests. No public exploit or active exploitation exists, but the low barrier to entry — any authenticated workflow editor — against a scope-changed CVSS vector (S:C) makes this a credible insider or compromised-account risk in any self-hosted deployment. Upgrade to n8n 2.25.7 or 2.26.2 immediately; if upgrading is blocked, exclude the Python Code node via NODES_EXCLUDE, disable the Python Task Runner, restrict workflow editing to fully trusted users, and rotate all credentials accessible to the n8n process.

Is GHSA-jwm3-qcfw-c5pp actively exploited?

No confirmed active exploitation of GHSA-jwm3-qcfw-c5pp has been reported, but organizations should still patch proactively.

How to fix GHSA-jwm3-qcfw-c5pp?

1. Upgrade to n8n 2.25.7 (1.x branch) or 2.26.2 (2.x branch) as the primary remediation. 2. If immediate upgrade is not feasible: add 'n8n-nodes-base.code' to the NODES_EXCLUDE environment variable to disable the Python Code node entirely, or disable the Python Task Runner. 3. Set N8N_BLOCK_RUNNER_ENV_ACCESS=true as a defense-in-depth measure even post-patch. 4. Audit and restrict workflow creation and editing permissions to only fully trusted users. 5. Rotate any API keys, database credentials, and secrets stored in the n8n process environment on affected instances as a precautionary measure. 6. Review existing workflow definitions for unexpected or unauthorized Python Code nodes that may have been introduced by a malicious insider.

What systems are affected by GHSA-jwm3-qcfw-c5pp?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration frameworks, LLM workflow automation pipelines, Multi-model AI agent pipelines, RAG pipeline orchestration layers, Self-hosted automation backends.

What is the CVSS score for GHSA-jwm3-qcfw-c5pp?

GHSA-jwm3-qcfw-c5pp has a CVSS v3.1 base score of 5.0 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

AI agent orchestration frameworksLLM workflow automation pipelinesMulti-model AI agent pipelinesRAG pipeline orchestration layersSelf-hosted automation backends

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.6, A.9.4

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

## Impact An authenticated user with permission to create or modify workflows containing a Python Code node could bypass the AST security validator and access the task executor module namespace. On self-hosted instances where `N8N_BLOCK_RUNNER_ENV_ACCESS=false` is set, this extended to disclosure of environment variables accessible to the task runner process. This issue only affects instances where the Python Task Runner is enabled and `N8N_BLOCK_RUNNER_ENV_ACCESS=true`. ## Patches The issue has been fixed in n8n versions 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Python Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable, or disable the Python Task Runner entirely. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

An insider threat actor or attacker who has compromised a developer account with n8n workflow editing rights creates a new workflow containing a Python Code node. They craft Python code designed to exploit the AST validator bypass — using obfuscated module imports, indirect attribute access, or other techniques to navigate from the Python execution sandbox into the broader task executor module namespace. Once the validator is circumvented, the attacker's code reads os.environ or equivalent system interfaces to enumerate all environment variables accessible to the n8n task runner process. On a typical AI agent deployment this yields API keys for OpenAI, Anthropic, Pinecone, PostgreSQL, or Stripe — enabling the attacker to pivot into connected AI infrastructure, make unauthorized LLM API calls billed to the victim, or exfiltrate training data from RAG backends.

Weaknesses (CWE)

CWE-693 Protection Mechanism Failure Primary

CWE-693 — Protection Mechanism Failure: The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Source: MITRE CWE corpus.