Two n8n sandbox escape vulnerabilities allow RCE

Two severe vulnerabilities in n8n could allow an authenticated attacker to escape sandboxing mechanisms and execute arbitrary code, the JFrog Security Research team revealed Tuesday.

n8n is an open-source workflow automation platform used by organizations and developers to connect applications, automate repetitive tasks and build integrations through a low-code/no-code visual interface.

The first vulnerability, tracked as CVE-2026-1470, has a critical CVSS score of 9.9 and affects n8n’s expression engine, which can execute JavaScript code.

Expressions can be added to any node’s parameters during workflow configuration, with an abstract syntax tree (AST) based sandbox used to prevent potentially dangerous code from executing in the victim’s environment.

The expression engine sanitizes expressions by blocking common sandbox escape mechanisms that use “this,” “prototype,” “constructor” or “$” identifiers to access the real global context.

Related reading:

However, JFrog researchers found that “with” statements could be used to bypass this sanitization, as they are not blocked by the AST parser, and the sanitization process uses a static regex check to look for occurrences of “.constructor” but not “constructor” as a standalone identifier.

“This allows us to trick the AST checks by introducing a decoy constructor identifier inside a with statement and scoping it to function (){}, which effectively resolves to the Function object,” JFrog Security Researcher Nathan Nehorai wrote.

By reaching the Function object via constructor, an attacker with access to configure node parameters can escape the sandbox and achieve remote code execution (RCE), potentially leading to a complete takeover of the n8n instance, according to JFrog.

The vulnerability is fixed in versions 1.123.17, 2.4.5 and 2.5.1, with all earlier versions susceptible to the flaw.

Python Code Node used in second n8n flaw

The second vulnerability, tracked as CVE-2026-0863, has a high CVSS score of 8.5 and is also a sandbox escape flaw, this time involving the Python Code Node.

This vulnerability would allow an authenticated attacker with the ability to create and execute nodes to execute arbitrary Python code on n8n instances running in an “Internal” configuration, meaning Python code runs as a subprocesses on the main node. The researchers note that n8n recommends the “External” configuration, which runs Python execution in a separate Docker sidecar container.

The AST-based sandbox prevents the import of external modules and blocks many potentially dangerous built-in functions. However, Python 3.10 added name and obj attributes for AttributeError exceptions, which were not accounted for by n8n’s sandboxing mechanism.

Therefore, an attacker can force an error in order to leak references to objects the sandbox is meant to restrict, enabling them to bypass protections and achieve RCE.

This flaw was resolved in versions 1.123.14, 2.3.5 and 2.4.2, with all earlier versions susceptible to the vulnerability.

Earlier this year, n8n addressed two maximum-severity vulnerabilities, tracked as CVE-2026-21877 and CVE-2026-21858, the former of which could enable an authenticated attacker to achieve RCE and the latter of which could allow an unauthenticated attacker to gain access to arbitrary files on the local host.

Cyera researchers further demonstrated how CVE-2026-21858 could be exploited to leak n8n secrets and forge an authenticated session to ultimately achieve RCE.

n8n also patched a CVSS 9.9 vulnerability tracked as CVE-2025-68613 in December, which could also enable an authenticated attacker to achieve RCE via the expression engine.