Two major security vulnerabilities in the workflow automation platform n8n could have led to severe consequences, including unauthorized remote code execution and sandbox escape, as reported by Pillar Security. These flaws exposed all credentials within the n8n database.
Details of the Critical Vulnerabilities
The first issue, identified as CVE-2026-27493 and rated with a CVSS score of 9.5, involves a second-order expression injection vulnerability affecting the platform’s Form nodes. This flaw allowed potential attackers to execute arbitrary commands remotely by manipulating a Name field.
This vulnerability arose due to n8n’s reliance on a dual-pass expression evaluation process. During the second evaluation pass, an attacker’s payload could be processed as a new expression, leading to potential command execution.
Exploiting the Flaws for System Access
Pillar Security highlighted that this initial vulnerability could be combined with another critical flaw, CVE-2026-27577, which has a CVSS score of 9.4. This combination could facilitate a sandbox escape, enabling attackers to run commands on the host system.
The flaw allowed malicious code to bypass the sandbox protections during the compilation stage, before runtime sanitizations took effect. This could result in unauthorized access to all stored credentials in n8n, including sensitive data like AWS keys and OAuth tokens.
Security Measures and Future Implications
The vulnerabilities affected both self-hosted and cloud-based n8n deployments. To address these issues, updates were released in late February for n8n versions 2.10.1, 2.9.3, and 1.123.22. These patches removed the problematic second evaluation pass and bolstered sandbox security.
Pillar Security emphasized the inherent risks due to n8n’s role as a credential repository, noting that a single breach could compromise connected systems. The flaws were particularly concerning for n8n Cloud and multi-tenant deployments, where a breach could affect shared infrastructure.
These incidents underscore the need for rigorous security measures in workflow automation platforms, as vulnerabilities can lead to widespread exposure and potential system compromises.
