Two critical- and high-severity vulnerabilities within the n8n AI workflow automation platform might enable attackers to execute arbitrary code remotely, JFrog studies.
The problems, tracked as CVE-2026-1470 (CVSS rating of 9.9) and CVE-2026-0863 (CVSS rating of 8.5), impacted n8n’s sandbox mechanism and might be abused through weaknesses within the Summary Syntax Tree (AST) sanitization logic.
CVE-2026-1470, JFrog notes, was found within the expression analysis engine and will enable attackers to execute arbitrary JavaScript code.
N8n makes use of an AST-based sandbox to validate JavaScript enter and neutralize probably harmful nodes earlier than execution. A number of validation layers have been applied to mitigate identified JavaScript sandbox escape vectors.
Nevertheless, as a result of the AST parser nonetheless helps a deprecated assertion, an attacker can provide an identifier that permits them to realize arbitrary code execution in n8n’s predominant node.
This permits an attacker to utterly take over the n8n occasion, JFrog says.Commercial. Scroll to proceed studying.
CVE-2026-0863, the cybersecurity agency explains, was found within the Python code execution circulate of the Code node, which can be subjected to an AST sandbox to stop takeover whereas working beneath ‘Inner’ configuration.
“If the n8n occasion is working within the ‘Inner’ configuration, Python code is executed as a subprocess on the primary node itself, permitting a profitable exploit to compromise your entire n8n occasion,” JFrog explains.
The cybersecurity agency found that it was potential to abuse gaps in AST-based sandboxes to bypass the applied protections and obtain distant code execution (RCE) to utterly escape the sandbox.
“These vulnerabilities spotlight how troublesome it’s to soundly sandbox dynamic, excessive‑degree languages corresponding to JavaScript and Python. Even with a number of validation layers, deny lists, and AST‑primarily based controls in place, refined language options and runtime behaviors might be leveraged to bypass safety assumptions,” JFrog explains.
The 2 vulnerabilities had been addressed in n8n variations 1.123.17, 2.4.5, and a pair of.5.1, and 1.123.14, 2.3.5, and a pair of.4.2, respectively.
Associated: Vital Vulnerability Exposes n8n Situations to Takeover Assaults
Associated: APTs, Cybercriminals Extensively Exploiting WinRAR Vulnerability
Associated: Organizations Warned of Exploited Zimbra Collaboration Vulnerability
Associated: TP-Hyperlink Patches Vulnerability Exposing VIGI Cameras to Distant Hacking
