CVE-2026-0863 Overview
CVE-2026-0863 is a sandbox escape vulnerability in n8n's python-task-executor component that allows authenticated attackers to bypass sandbox restrictions and execute arbitrary unrestricted Python code on the underlying operating system. By leveraging string formatting and exception handling techniques, an attacker with basic permissions can exploit the Code block functionality to achieve remote code execution.
The vulnerability can be exploited by any authenticated user with basic permissions and can lead to a full n8n instance takeover when the instance operates under "Internal" execution mode. When operating under "External" execution mode (such as n8n's official Docker image), arbitrary code execution is limited to the Sidecar container rather than the main node, significantly reducing the impact.
Critical Impact
Authenticated attackers can achieve full n8n instance takeover by escaping Python sandbox restrictions, potentially compromising automation workflows, credentials, and connected systems.
Affected Products
- n8n workflow automation platform (python-task-executor component)
- n8n instances operating under "Internal" execution mode (highest impact)
- n8n instances operating under "External" execution mode (limited impact to Sidecar container)
Discovery Timeline
- 2026-01-18 - CVE CVE-2026-0863 published to NVD
- 2026-01-20 - Last updated in NVD database
Technical Details for CVE-2026-0863
Vulnerability Analysis
This vulnerability is classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), commonly known as Code Injection. The n8n workflow automation platform includes a Python task executor that provides sandboxed Python code execution capabilities for workflow automation. However, the sandbox implementation contains a critical flaw that allows attackers to break out of the restricted environment.
The attack requires network access and authentication with basic user permissions. Once authenticated, an attacker can craft malicious Python code within the Code block that exploits string formatting mechanisms and exception handling to escape the sandbox boundaries. The scope change indicates that a successful exploit affects resources beyond the vulnerable component itself, potentially compromising the entire n8n instance and any connected systems or credentials stored within.
Instances running in "Internal" execution mode face the highest risk as code execution occurs directly on the main node. Organizations using "External" execution mode (including n8n's official Docker deployment) benefit from container isolation, though the Sidecar container could still be compromised.
Root Cause
The root cause lies in insufficient input validation and improper neutralization of code directives within the Python sandbox implementation. The sandbox fails to adequately restrict Python's string formatting capabilities and exception handling mechanisms, creating an escape path that allows execution of arbitrary code outside the sandbox boundaries. This represents a classic sandbox escape pattern where legitimate language features are weaponized to circumvent security controls.
Attack Vector
The attack is conducted over the network by an authenticated user with basic permissions. The attacker accesses the Code block functionality within n8n's workflow editor and submits specially crafted Python code that exploits string formatting combined with exception handling to break out of the sandbox environment. Once the sandbox is bypassed, the attacker gains the ability to execute arbitrary Python code with the privileges of the n8n process or Sidecar container, depending on the execution mode configuration.
The exploitation chain involves:
- Authentication to the n8n instance with basic user credentials
- Creating or modifying a workflow containing a Code block
- Injecting malicious Python code that leverages string formatting and exception handling
- Executing the workflow to trigger the sandbox escape
- Running arbitrary unrestricted Python code on the underlying system
Detection Methods for CVE-2026-0863
Indicators of Compromise
- Unusual Python code patterns in workflow Code blocks containing string formatting with exception handling constructs
- Unexpected system processes spawned by the n8n service or Sidecar container
- Anomalous outbound network connections from n8n nodes or containers
- Suspicious file system access or modifications initiated by the Python executor
Detection Strategies
- Monitor workflow Code blocks for suspicious Python patterns involving __format__, exception chaining, or class introspection
- Implement logging for all Code block executions and review for anomalous behavior
- Deploy runtime application self-protection (RASP) solutions to detect sandbox escape attempts
- Use SentinelOne Singularity XDR to detect unauthorized code execution and process spawning from n8n services
Monitoring Recommendations
- Enable verbose logging for n8n workflow executions and Code block activities
- Monitor container escape attempts in Docker/Kubernetes environments running n8n
- Implement alerts for unusual Python module imports or system calls originating from n8n processes
- Review audit logs for users creating or modifying workflows with Code blocks
How to Mitigate CVE-2026-0863
Immediate Actions Required
- Apply the security patch from commit b73a4283cb14e0f27ce19692326f362c7bf3da02 immediately
- Audit existing workflows for suspicious Code blocks containing complex string formatting or exception handling
- Consider temporarily disabling Python Code blocks for untrusted users until patching is complete
- Switch to "External" execution mode using the official Docker image to limit potential impact
Patch Information
n8n has released a fix for this vulnerability. The patch is available in commit b73a4283cb14e0f27ce19692326f362c7bf3da02 on the official n8n GitHub repository. Organizations should update to a version containing this fix as soon as possible. Additional technical details about the vulnerability are available in the JFrog Vulnerability Report.
Workarounds
- Deploy n8n using "External" execution mode with the official Docker image to contain potential compromise to the Sidecar container
- Restrict Code block functionality to trusted users only through n8n's permission system
- Implement network segmentation to limit the blast radius of a potential sandbox escape
- Monitor and restrict outbound network access from n8n containers or processes
# Verify n8n execution mode configuration
# Ensure EXECUTIONS_MODE is set to 'queue' for external execution
export EXECUTIONS_MODE=queue
# Verify container isolation for external runners
docker inspect n8n-worker --format='{{.HostConfig.SecurityOpt}}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
