CVE-2026-27494 Overview
CVE-2026-27494 is a sandbox escape vulnerability in n8n, the open source workflow automation platform. Authenticated users with permission to create or modify workflows can exploit the Python Code node to escape the sandbox environment. The sandbox implementation fails to sufficiently restrict access to certain built-in Python objects, enabling attackers to exfiltrate sensitive file contents or achieve remote code execution (RCE).
Critical Impact
On instances using internal Task Runners (default runner mode), successful exploitation could result in full compromise of the n8n host. On instances using external Task Runners, attackers might gain access to or impact other tasks executed on the Task Runner.
Affected Products
- n8n versions prior to 2.10.1
- n8n versions prior to 2.9.3
- n8n versions prior to 1.123.22
Discovery Timeline
- 2026-02-25 - CVE-2026-27494 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27494
Vulnerability Analysis
This vulnerability is classified under CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere). The issue arises from inadequate sandboxing controls within n8n's Python Code node functionality. The sandbox environment, designed to provide a secure execution context for user-defined Python code within workflows, fails to properly restrict access to Python's introspection capabilities and built-in objects.
When Task Runners are enabled via the N8N_RUNNERS_ENABLED=true configuration flag, the Python Code node processes user-supplied scripts. The insufficient restrictions allow authenticated attackers to leverage Python's rich object model to break out of the intended sandbox boundaries. This escape permits access to the underlying file system and potentially enables arbitrary code execution on the host system.
Root Cause
The root cause lies in the incomplete implementation of sandbox restrictions for Python code execution. Python's object-oriented nature includes numerous built-in objects and methods that can be leveraged to access underlying system resources. The n8n sandbox did not adequately block access to these dangerous primitives, including objects that expose file system operations and process execution capabilities.
Attack Vector
This vulnerability is exploitable over the network and requires low attack complexity. An attacker must have authenticated access to the n8n platform with permissions to create or modify workflows. By crafting a malicious Python script within a workflow's Code node, the attacker can:
- Enumerate and access built-in Python objects that bypass sandbox restrictions
- Leverage these objects to read arbitrary files from the host system
- Execute arbitrary commands on the underlying system, potentially achieving full host compromise
The attack does not require user interaction and can be triggered whenever the malicious workflow is executed. On default configurations using internal Task Runners, successful exploitation grants the attacker access equivalent to the n8n process privileges.
Detection Methods for CVE-2026-27494
Indicators of Compromise
- Unusual workflow modifications or creations targeting the Python Code node
- Unexpected file access attempts originating from the n8n process
- Anomalous system commands executed under the n8n service account
- Workflow execution logs showing attempts to access Python builtins or introspection methods
Detection Strategies
- Monitor workflow audit logs for suspicious Code node configurations, especially those referencing Python introspection capabilities
- Implement file integrity monitoring on sensitive system files to detect unauthorized access from the n8n process
- Review workflow change history for unauthorized modifications by users with elevated permissions
- Deploy endpoint detection rules to identify sandbox escape patterns in Python execution contexts
Monitoring Recommendations
- Enable verbose logging for n8n workflow executions and Task Runner activities
- Configure alerting for any workflow modifications involving the Code node type
- Monitor network traffic from n8n instances for unexpected outbound connections that could indicate data exfiltration
- Audit user permissions regularly to ensure workflow creation rights are appropriately restricted
How to Mitigate CVE-2026-27494
Immediate Actions Required
- Upgrade n8n to version 2.10.1, 2.9.3, or 1.123.22 or later immediately
- Audit all existing workflows for potentially malicious Python Code nodes
- Review and restrict workflow creation and editing permissions to fully trusted users only
- Monitor for any signs of exploitation or unauthorized file access on n8n hosts
Patch Information
n8n has released security patches addressing this sandbox escape vulnerability. Users should upgrade to one of the following fixed versions:
For complete details, refer to the GitHub Security Advisory GHSA-mmgg-m5j7-f83h.
Workarounds
- Limit workflow creation and editing permissions to fully trusted users only
- Disable the Code node by adding n8n-nodes-base.code to the NODES_EXCLUDE environment variable
- Consider disabling Task Runners (N8N_RUNNERS_ENABLED=false) if Python code execution is not required
- Implement network segmentation to isolate n8n instances from sensitive internal resources
# Disable Python Code node as temporary mitigation
export NODES_EXCLUDE="n8n-nodes-base.code"
# Restart n8n service to apply changes
systemctl restart n8n
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
