CVE-2026-25115 Overview
CVE-2026-25115 is a critical sandbox escape vulnerability in n8n, an open source workflow automation platform. Prior to version 2.4.8, a vulnerability in the Python Code node allows authenticated users to break out of the Python sandbox environment and execute code outside the intended security boundary. This flaw enables attackers with valid credentials to bypass security controls and potentially achieve arbitrary code execution on the underlying system.
Critical Impact
Authenticated attackers can escape the Python sandbox to execute arbitrary code outside the security boundary, potentially compromising the entire n8n instance and underlying infrastructure.
Affected Products
- n8n workflow automation platform versions prior to 2.4.8
- n8n instances running on Node.js environments
- Self-hosted and cloud-deployed n8n installations utilizing the Python Code node
Discovery Timeline
- 2026-02-04 - CVE-2026-25115 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-25115
Vulnerability Analysis
This vulnerability falls under CWE-693 (Protection Mechanism Failure), indicating that the sandbox protection mechanism designed to isolate Python code execution can be circumvented. The n8n platform provides a Python Code node that allows users to execute custom Python scripts within workflows. To prevent malicious code from affecting the host system, this execution occurs within a sandboxed environment intended to restrict access to system resources and sensitive operations.
The sandbox escape vulnerability allows authenticated users to break out of these security boundaries. When exploited, an attacker can execute arbitrary Python code that runs with the same privileges as the n8n process itself, rather than being confined to the restricted sandbox environment. This could lead to unauthorized access to the file system, network resources, environment variables containing credentials, and other sensitive data accessible to the n8n service.
Root Cause
The root cause stems from insufficient isolation in the Python Code node's sandbox implementation. The protection mechanism fails to adequately restrict access to Python built-in functions, modules, or attributes that can be leveraged to escape the sandbox context. Common sandbox escape techniques involve accessing special Python attributes like __builtins__, __class__, __mro__, or __subclasses__() to reach unrestricted code execution paths.
Attack Vector
The attack requires network access and valid authentication credentials to the n8n platform. An authenticated attacker can craft a malicious workflow containing specially crafted Python code in a Python Code node. When the workflow executes, the malicious code exploits weaknesses in the sandbox implementation to escape confinement and execute arbitrary commands on the underlying system.
The attack scenario involves:
- Attacker authenticates to the n8n platform with valid credentials
- Attacker creates or modifies a workflow containing a Python Code node
- Malicious Python code is inserted that exploits sandbox weaknesses
- Upon workflow execution, the code breaks out of the sandbox
- Arbitrary code runs with the privileges of the n8n process
Detection Methods for CVE-2026-25115
Indicators of Compromise
- Unusual Python Code node executions containing references to __builtins__, __class__, __mro__, or __subclasses__
- Workflow logs showing unexpected system calls or file system access originating from Python Code nodes
- New or modified workflows created by unauthorized users or containing obfuscated Python code
- Process spawning events from the n8n service that indicate command execution outside normal operations
Detection Strategies
- Monitor n8n workflow logs for Python Code node executions containing suspicious module imports or attribute access patterns
- Implement file integrity monitoring on the n8n installation directory and workflow storage locations
- Deploy endpoint detection and response (EDR) solutions to detect anomalous child processes spawned by the n8n service
- Review authentication logs for unusual access patterns or credential usage preceding workflow modifications
Monitoring Recommendations
- Enable verbose logging for workflow executions, particularly for Python Code node activities
- Configure alerting for any Python Code node execution that references restricted attributes or modules
- Monitor network traffic originating from the n8n host for unexpected outbound connections
- Implement user behavior analytics to detect unusual workflow creation or modification patterns
How to Mitigate CVE-2026-25115
Immediate Actions Required
- Upgrade n8n to version 2.4.8 or later immediately to apply the security patch
- Audit existing workflows for any suspicious Python Code node content
- Review user access permissions and remove unnecessary accounts that can create or modify workflows
- Consider temporarily disabling the Python Code node functionality if immediate patching is not possible
Patch Information
The vulnerability has been patched in n8n version 2.4.8. Organizations should update to this version or later to remediate the sandbox escape vulnerability. For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-8398-gmmx-564h.
Workarounds
- Restrict access to the Python Code node by limiting which users can create or modify workflows containing this node type
- Implement network segmentation to isolate n8n instances from sensitive internal resources
- Deploy additional runtime application self-protection (RASP) solutions to detect and block sandbox escape attempts
- Run n8n in a containerized environment with minimal privileges to limit the impact of a successful escape
# Example: Restricting n8n container privileges
docker run -d \
--name n8n \
--read-only \
--security-opt=no-new-privileges:true \
--cap-drop=ALL \
-e N8N_BASIC_AUTH_ACTIVE=true \
n8nio/n8n:2.4.8
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
