CVE-2026-27493 Overview
CVE-2026-27493 is a second-order expression injection vulnerability in n8n, an open source workflow automation platform. The vulnerability exists in n8n's Form nodes and allows an unauthenticated attacker to inject and evaluate arbitrary n8n expressions by submitting crafted form data. When chained with an expression sandbox escape, this vulnerability can escalate to remote code execution on the n8n host.
The attack requires a specific workflow configuration: a form node with a field interpolating a value provided by an unauthenticated user, where the field value begins with an = character. This prefix causes n8n to treat the input as an expression, triggering double-evaluation of the field content. While the preconditions are narrow, successful exploitation can result in complete compromise of the n8n instance.
Critical Impact
Unauthenticated attackers can achieve remote code execution on n8n hosts by exploiting expression injection in Form nodes, potentially leading to complete system compromise.
Affected Products
- n8n versions prior to 2.10.1
- n8n versions prior to 2.9.3
- n8n versions prior to 1.123.22
Discovery Timeline
- 2026-02-25 - CVE CVE-2026-27493 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27493
Vulnerability Analysis
This Code Injection vulnerability (CWE-94) affects n8n's Form node processing logic. The root issue lies in how n8n handles user-submitted form data that begins with an equals sign (=). When n8n encounters this character at the start of a field value, it interprets the content as an expression rather than a literal string, leading to unintended expression evaluation.
The vulnerability is categorized as a second-order injection because the malicious payload is first stored in the form submission, then later evaluated when the form data is processed by the workflow. This two-stage attack allows unauthenticated users to inject expressions that access data within n8n's expression context, including potentially sensitive workflow data and configurations.
While the expression injection alone is limited to data accessible within the n8n expression context, the critical escalation path involves chaining this vulnerability with a sandbox escape. If an attacker can break out of n8n's expression sandbox, they can achieve arbitrary code execution on the host system running n8n.
Root Cause
The vulnerability stems from insufficient input sanitization in n8n's Form node implementation. Specifically, the application fails to properly sanitize or escape user-controlled input before evaluating it as an expression. When a form field value begins with =, n8n's expression parser processes the entire string as an evaluatable expression, enabling double-evaluation attacks where attacker-controlled data is executed as code.
Attack Vector
The attack requires network access to a vulnerable n8n instance with an exposed form. The attacker must:
- Identify a Form node in a workflow that interpolates user-submitted values
- Submit form data where a field value begins with = followed by malicious n8n expression syntax
- The expression is evaluated in the context of the n8n workflow, allowing data exfiltration or further exploitation
- When combined with a sandbox escape vulnerability, escalate to remote code execution
The security patch addresses this by improving input sanitization. Below is the relevant fix from the commit:
const sanitizedShowWelcomeScreen = !!showWelcomeScreen;
const sanitizedAllowFileUploads = !!allowFileUploads;
- const sanitizedAllowedFilesMimeTypes = allowedFilesMimeTypes?.toString() ?? '';
+ const sanitizedAllowedFilesMimeTypes = sanitizeUserInput(allowedFilesMimeTypes?.toString() ?? '');
const sanitizedCustomCss = sanitizeHtml(`<style>${customCss?.toString() ?? ''}</style>`, {
allowedTags: ['style'],
allowedAttributes: false,
Source: GitHub Commit Change
Additionally, the patch improves authentication handling to prevent unauthorized access:
- const authCookie = getCookie('n8n-auth');
- if (!authCookie && webhookName !== 'setup') {
- // Data is not defined on node so can not authenticate
- throw new ChatTriggerAuthorizationError(500, 'User not authenticated!');
+ const authCookie = getCookie('n8n-auth');
+ if (!authCookie) {
+ throw new ChatTriggerAuthorizationError(401, 'User not authenticated!');
+ }
Source: GitHub Commit Change
Detection Methods for CVE-2026-27493
Indicators of Compromise
- Form submissions containing field values starting with = followed by n8n expression syntax (e.g., ={{ $env.SECRET }})
- Unexpected n8n expression evaluation errors in application logs
- Unusual data access patterns or exfiltration attempts from n8n workflows
- Evidence of sandbox escape attempts following form submissions
Detection Strategies
- Monitor n8n form submission logs for payloads containing expression injection patterns such as ={{, =$, or other n8n expression syntax
- Implement web application firewall (WAF) rules to detect and block form submissions with suspicious expression-like content
- Review n8n workflow execution logs for unexpected expression evaluations or errors indicating injection attempts
- Deploy endpoint detection to identify signs of code execution following form processing
Monitoring Recommendations
- Enable verbose logging on n8n instances to capture detailed form submission data
- Configure alerting for authentication errors (401 responses) on form endpoints that may indicate exploitation attempts
- Monitor for unusual process spawning or network connections from n8n worker processes
- Regularly audit Form node configurations for fields that interpolate user-submitted values
How to Mitigate CVE-2026-27493
Immediate Actions Required
- Upgrade n8n to version 2.10.1, 2.9.3, or 1.123.22 (or later) immediately
- Review all existing workflows using Form nodes for potentially vulnerable configurations
- Audit form submissions for any evidence of prior exploitation attempts
- If exploitation is suspected, rotate any credentials or secrets accessible from n8n workflows
Patch Information
n8n has released security patches addressing this vulnerability. Upgrade to one of the following versions:
For detailed information about the vulnerability, refer to the GitHub Security Advisory GHSA-75g8-rv7v-32f7.
Workarounds
- Review usage of Form nodes manually for fields that interpolate user-submitted values, particularly those prefixed with =
- Disable the Form node by adding n8n-nodes-base.form to the NODES_EXCLUDE environment variable
- Disable the Form Trigger node by adding n8n-nodes-base.formTrigger to the NODES_EXCLUDE environment variable
- Restrict network access to n8n instances to trusted users only until patching is complete
# Disable vulnerable nodes as temporary mitigation
export NODES_EXCLUDE="n8n-nodes-base.form,n8n-nodes-base.formTrigger"
# Restart n8n to apply the configuration
systemctl restart n8n
Note: These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures until upgrading is possible.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
