CVE-2026-27577

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

An adversary compromises a low-privilege n8n account via credential stuffing, phishing, or an insider threat. They create or modify a workflow and embed a crafted expression in a workflow parameter — for example, inside a Code node or a data transformation field — that calls the host's command execution interface to spawn a reverse shell. Because expression evaluation runs under the n8n process's OS privileges without adequate sandboxing, the attacker immediately gains code execution on the host. From that foothold, they extract environment variables and n8n's credential store to harvest all AI API keys and service credentials, then pivot: they can issue malicious LLM API calls, exfiltrate connected RAG databases, inject poisoned workflow steps that persist into production AI automation pipelines trusted by other users and downstream systems, or use the n8n host as a pivot into the internal network.