AI Threat Alert
CVE-2026-0863
CRITICALIf your organization uses n8n for AI workflow automation or agent orchestration, treat this as an emergency patch. Any authenticated user with basic permissions can escape the Python sandbox via the Code block and execute arbitrary OS commands — in Internal mode, this means full n8n instance takeover and access to every credential stored in your workflows. Patch immediately, restrict Code block permissions to admins only as an interim control, and rotate all credentials connected to n8n.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | — | No patch |
| n8n | npm | — | No patch |
| n8n | npm | — | No patch |
Severity & Risk
Recommended Action
- 1. PATCH: Apply commit b73a4283cb14e0f27ce19692326f362c7bf3da02 immediately. 2. WORKAROUND: Restrict Code block access to trusted administrators only until patched — audit and revoke Code block permissions for all standard users. 3. EXECUTION MODE: If running Internal mode, switch to External (Docker sidecar) mode to reduce blast radius while patching. 4. CREDENTIAL ROTATION: Audit all credentials stored in n8n (Settings → Credentials) and rotate any that may have been exposed, especially LLM API keys, database credentials, and OAuth tokens. 5. DETECTION: Monitor n8n process trees for unexpected child processes (shells, curl, wget), unusual outbound network connections from the n8n host, and new files created in the n8n data directory. 6. NETWORK SEGMENTATION: Restrict what the n8n host can reach on the network — it should not have unfettered access to internal infrastructure. 7. AUDIT: Review n8n access logs for unexpected Code block executions or unusual workflow activity.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system. The vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under "Internal" execution mode. If the instance is operating under the "External" execution mode (ex. n8n's official Docker image) - arbitrary code execution occurs inside a Sidecar container and not the main node, which significantly reduces the vulnerability impact.
Exploitation Scenario
An adversary — either a compromised internal user or someone who obtained basic n8n credentials via phishing — logs into the n8n instance. They create or modify a workflow containing a Code block with Python execution enabled. Using Python's introspection capabilities (e.g., walking `__class__.__mro__` to access builtins, or exploiting string format specifiers and exception `__traceback__` chaining to escape restricted globals), they craft a payload that breaks out of the sandbox restrictions. Once outside the sandbox, they execute OS commands: first dumping `/proc/self/environ` and n8n's environment variables to harvest API keys and database credentials, then establishing a reverse shell for persistent access. On an Internal mode instance, they now own the host and can pivot to any system n8n was connected to — including production databases, cloud accounts, and LLM APIs. The entire AI automation backbone of the organization is compromised.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H References
- research.jfrog.com/vulnerabilities/n8n-python-runner-sandbox-escape-jfsa-2026-001651077/ Exploit 3rd Party
- smartkeyss.com/post/cve-2026-0863-python-sandbox-escape-in-n8n-via-exception-formatting-and-implicit-code-execution Exploit 3rd Party
- github.com/n8n-io/n8n/commit/b73a4283cb14e0f27ce19692326f362c7bf3da02 Patch
- research.jfrog.com/vulnerabilities/n8n-python-runner-sandbox-escape-jfsa-2026-001651077/ Exploit 3rd Party