Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-49444

CVE-2026-49444: n8n Workflow Automation RCE Vulnerability

CVE-2026-49444 is a remote code execution vulnerability in n8n workflow automation platform that allows authenticated users to escape the Python Code Node sandbox. This post covers technical details, affected versions, and patches.

Published:

CVE-2026-49444 Overview

CVE-2026-49444 is a sandbox escape vulnerability in n8n, an open source workflow automation platform. The flaw allows an authenticated user with permission to create or modify workflows containing a Python Code Node to escape the sandbox and execute arbitrary code on the task runner container. The issue is tracked under CWE-20: Improper Input Validation. Maintainers fixed the vulnerability in n8n versions 1.123.48, 2.21.8, and 2.22.4. Reference details are published in the GitHub Security Advisory GHSA-9pq8-m8gp-4p53.

Critical Impact

An authenticated user can break out of the Python Code Node sandbox and gain arbitrary code execution on the n8n task runner container.

Affected Products

  • n8n versions prior to 1.123.48
  • n8n versions prior to 2.21.8
  • n8n versions prior to 2.22.4

Discovery Timeline

  • 2026-06-23 - CVE-2026-49444 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-49444

Vulnerability Analysis

n8n executes user-supplied Python code inside a Code Node that runs within a dedicated task runner container. The runtime is intended to restrict what workflow authors can do at the operating system level. The vulnerability allows an authenticated user with workflow create or modify privileges to bypass that restriction. After escape, the attacker executes arbitrary commands inside the task runner container with the privileges of the runner process.

The attack requires valid n8n credentials and permission to author workflows, which limits exposure to insider misuse or accounts compromised through credential theft. Successful exploitation impacts confidentiality of data the task runner can reach, including secrets, credentials referenced by workflows, and any integrated systems the runner communicates with.

Root Cause

The root cause is improper input validation in the Python Code Node execution path. The sandbox does not adequately constrain Python language features or runtime APIs available to user code. This permits the attacker to reach Python internals that interact with the host process and spawn or alter execution outside the intended sandbox boundary.

Attack Vector

The attack vector is network-based against an authenticated n8n instance. An attacker with workflow edit permission creates or modifies a workflow that contains a Python Code Node. The node payload executes Python that escapes the sandbox using language features the runner failed to restrict. Execution then proceeds in the task runner container with the runner's process privileges and environment.

No verified public proof-of-concept exploit code is available at the time of publication. Review the GitHub Security Advisory for vendor technical details.

Detection Methods for CVE-2026-49444

Indicators of Compromise

  • Unexpected child processes spawned by the n8n task runner container, such as sh, bash, curl, or wget.
  • Outbound network connections from the task runner container to addresses not used by configured workflow integrations.
  • Modifications to workflows that introduce Python Code Nodes referencing low-level modules like ctypes, os, subprocess, or importlib.
  • New or modified files inside the task runner container outside expected workflow paths.

Detection Strategies

  • Audit the n8n workflow database and version history for recently added or edited Python Code Nodes, focusing on accounts with broad editing rights.
  • Enable container runtime logging on the n8n task runner and alert on process executions other than the Python interpreter and its expected children.
  • Correlate authentication logs for n8n with workflow change events to identify suspicious editor activity from unusual IP addresses or sessions.

Monitoring Recommendations

  • Forward n8n application logs, audit logs, and task runner container telemetry to a centralized log platform for retention and search.
  • Alert on egress traffic from the task runner container to non-allowlisted destinations.
  • Monitor for privilege-sensitive syscalls inside the task runner container using eBPF-based runtime tooling.

How to Mitigate CVE-2026-49444

Immediate Actions Required

  • Upgrade n8n to 1.123.48, 2.21.8, or 2.22.4 depending on your release branch.
  • Restrict workflow create and edit permissions to the minimum set of trusted users.
  • Rotate API keys, OAuth tokens, and credentials stored in n8n if you suspect prior abuse of Python Code Nodes.
  • Review recent workflow change history for unauthorized modifications.

Patch Information

The vendor released fixed versions 1.123.48, 2.21.8, and 2.22.4. Refer to the n8n GitHub Security Advisory GHSA-9pq8-m8gp-4p53 for release notes and upgrade instructions.

Workarounds

  • Disable the Python Code Node in environments where it is not required until patches are applied.
  • Run the n8n task runner in an isolated network segment with egress filtering to limit blast radius.
  • Apply least-privilege role-based access control so only vetted users can author workflows.
bash
# Example: upgrade n8n container image to a patched release
docker pull n8nio/n8n:1.123.48
docker stop n8n && docker rm n8n
docker run -d --name n8n -p 5678:5678 \
  -v n8n_data:/home/node/.n8n \
  n8nio/n8n:1.123.48

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.