New Sandbox Escape Flaw Exposes n8n Instances to RCE Attacks
Summary:
The JFrog Security Research team identified two significant vulnerabilities in the n8n workflow automation platform, CVE-2026-1470 and CVE-2026-0863, that allow attackers to bypass sandboxing mechanisms and achieve Remote Code Execution (RCE).
CVE-2026-1470 targets the JavaScript-based expression engine by exploiting a loophole involving the deprecated with statement; by introducing a decoy identifier, attackers can trick the Abstract Syntax Tree (AST) validator into allowing access to the Function constructor.
CVE-2026-0863 targets the Python "Code" node by leveraging Python 3.10’s AttributeError metadata and string formatting to bridge the gap between restricted string representations and live, callable objects, effectively escaping the Python sandbox.
Security Officer Comments:
The impact of these vulnerabilities is severe, particularly for self-hosted n8n instances and cloud environments.
The vulnerabilities in n8n impact a broad and diverse set of users, ranging from individual developers to large enterprise organizations. Because n8n is often chosen specifically for its self-hosting capabilities and low-code AI integration:
To mitigate these risks, users must upgrade their n8n installations to patched versions immediately:
Link(s):
https://research.jfrog.com/post/achieving-remote-code-execution-on-n8n-via-sandbox-escape/
The JFrog Security Research team identified two significant vulnerabilities in the n8n workflow automation platform, CVE-2026-1470 and CVE-2026-0863, that allow attackers to bypass sandboxing mechanisms and achieve Remote Code Execution (RCE).
CVE-2026-1470 targets the JavaScript-based expression engine by exploiting a loophole involving the deprecated with statement; by introducing a decoy identifier, attackers can trick the Abstract Syntax Tree (AST) validator into allowing access to the Function constructor.
CVE-2026-0863 targets the Python "Code" node by leveraging Python 3.10’s AttributeError metadata and string formatting to bridge the gap between restricted string representations and live, callable objects, effectively escaping the Python sandbox.
Security Officer Comments:
The impact of these vulnerabilities is severe, particularly for self-hosted n8n instances and cloud environments.
- CVE-2026-1470 is rated as a 9.9 Critical vulnerability because the code execution occurs directly on the n8n main node, granting an authenticated attacker full control over the host system and all associated workflow data.
- CVE-2026-0863 is rated as 8.5 High; while its severity depends on the configuration, it allows RCE on the main node if the "Internal" execution mode is used. Even in the recommended "External" mode, the exploit allows for RCE within a sidecar container, posing a significant risk if the container is not properly isolated.
The vulnerabilities in n8n impact a broad and diverse set of users, ranging from individual developers to large enterprise organizations. Because n8n is often chosen specifically for its self-hosting capabilities and low-code AI integration:
- Enterprise IT and DevOps Teams
- AI Developers and Startups
- Data Engineers and Analysts
- Managed Service Providers (MSPs) and Agencies
- E-commerce brands, Tech companies, FinTech and Healthcare
To mitigate these risks, users must upgrade their n8n installations to patched versions immediately:
- For CVE-2026-1470, users should move to version 1.123.17, 2.4.5, or 2.5.1 or later.
- For CVE-2026-0863, users should upgrade to 1.123.14, 2.3.5, or 2.4.2 or later.
Link(s):
https://research.jfrog.com/post/achieving-remote-code-execution-on-n8n-via-sandbox-escape/