CVE-2026-42234 Overview
CVE-2026-42234 is a sandbox escape vulnerability in n8n, an open source workflow automation platform. Authenticated users with permission to create or modify workflows containing a Python Code Node can break out of the sandbox and execute arbitrary code on the task runner container. The flaw only affects deployments where the Python Task Runner is enabled. The issue is fixed in versions 1.123.32, 2.17.4, and 2.18.1. The weakness is classified under CWE-94 (Improper Control of Generation of Code).
Critical Impact
Authenticated workflow editors can escape the Python sandbox and run arbitrary code on the task runner container, exposing secrets, credentials, and adjacent workloads.
Affected Products
- n8n versions prior to 1.123.32
- n8n versions prior to 2.17.4
- n8n version 2.18.0 and earlier 2.18.x releases prior to 2.18.1
Discovery Timeline
- 2026-05-04 - CVE-2026-42234 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-42234
Vulnerability Analysis
The vulnerability resides in the Python Code Node executed by the n8n Python Task Runner. n8n exposes a Code Node that allows workflow authors to embed Python logic inside automated workflows. The runner is intended to confine Python execution within a sandbox so user-supplied code cannot reach the host process or the container's broader resources.
An authenticated user with workflow create or edit privileges can craft Python code that escapes this sandbox boundary. Once outside the sandbox, the attacker reaches the underlying task runner container with the privileges of the runner process. This grants arbitrary code execution within that container.
The vulnerability is tracked under CWE-94 because untrusted input is interpreted and executed as code outside its intended security boundary. The EPSS probability is 0.074% as of 2026-05-07.
Root Cause
The Python sandbox enforced by the task runner does not fully isolate Python language features that allow access to interpreter internals. Python introspection primitives, module imports, or builtins reachable from sandboxed scope can be abused to obtain references to objects outside the sandbox. From those references, an attacker reconstructs paths to dangerous functions such as process execution or file system operations.
Attack Vector
Exploitation requires authenticated access with permission to create or modify workflows. The attacker adds a Python Code Node containing sandbox-escape primitives and triggers the workflow. The Python Task Runner evaluates the node, and the escape executes inside the runner container. Instances that have not enabled the Python Task Runner are not affected.
The vulnerability is described in prose only because no public proof-of-concept code has been published. Refer to the n8n GitHub Security Advisory GHSA-44v6-jhgm-p3m4 for vendor technical details.
Detection Methods for CVE-2026-42234
Indicators of Compromise
- Unexpected child processes spawned by the n8n Python Task Runner container, especially shells (/bin/sh, /bin/bash) or interpreters launched outside normal Python execution.
- Outbound network connections originating from the task runner container to addresses not associated with workflow integrations.
- New or modified Python Code Nodes containing references to __builtins__, __import__, __subclasses__, or os.system introduced by non-administrator accounts.
- File system writes inside the runner container outside of n8n's normal working directories.
Detection Strategies
- Audit n8n workflow change logs for Python Code Node creation or modification events and correlate with the acting user identity.
- Apply runtime monitoring on the task runner container to flag process executions that deviate from the expected Python interpreter behavior.
- Compare the running n8n version against the patched releases 1.123.32, 2.17.4, and 2.18.1 and alert on instances below those versions with the Python Task Runner enabled.
Monitoring Recommendations
- Forward container runtime telemetry, n8n audit logs, and workflow execution logs to a centralized analytics pipeline for correlation.
- Alert on Python workflow executions that perform subprocess, os, or socket operations inconsistent with documented automation patterns.
- Track authentication events for accounts with workflow editor roles and review privilege grants regularly.
How to Mitigate CVE-2026-42234
Immediate Actions Required
- Upgrade n8n to 1.123.32, 2.17.4, or 2.18.1 depending on your release branch.
- If patching is delayed, disable the Python Task Runner on instances where it is not required.
- Review which user accounts hold workflow create or edit permissions and remove unnecessary access.
- Rotate credentials, API tokens, and secrets accessible from the task runner container if compromise is suspected.
Patch Information
The maintainers released fixes in n8n 1.123.32, 2.17.4, and 2.18.1. Patch details and the coordinated advisory are published in the n8n GitHub Security Advisory GHSA-44v6-jhgm-p3m4.
Workarounds
- Disable the Python Task Runner until upgrade is complete on environments that do not require Python workflows.
- Restrict workflow editor permissions to a small group of trusted administrators using role-based access control.
- Isolate the task runner container with strict egress network policies and a least-privilege service account.
- Enable detailed audit logging on workflow modifications and review changes to Python Code Nodes.
# Verify running n8n version and disable the Python Task Runner if unused
docker exec <n8n-container> n8n --version
# Disable Python Task Runner via environment variable before patching
export N8N_RUNNERS_ENABLED=true
export N8N_PYTHON_RUNNER_ENABLED=false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
