Four Critical n8n Flaws Enable Unauthenticated RCE

Security researchers at Pillar Security disclosed four critical vulnerabilities in n8n, the popular open-source workflow automation platform. The most concerning, CVE-2026-27493 (CVSS 9.5), allows completely unauthenticated attackers to execute arbitrary shell commands by injecting payloads through public form endpoints.

This marks the fourth and fifth time in four months that n8n has patched critical sandbox escape vulnerabilities. We covered CVE-2026-25049 in February and the original Ni8mare vulnerability (CVE-2026-21858) in January. The pattern suggests architectural weaknesses that incremental patches aren't fully addressing.

The Unauthenticated Entry Point

CVE-2026-27493 exploits a double-evaluation bug in n8n's Form nodes. When a workflow exposes a public form (contact forms, intake processes, survey endpoints), submitted data gets evaluated twice. Attackers inject expression payloads through normal form fields that execute during the second evaluation pass—no authentication required.

An organization's public-facing workflow becomes a direct shell on their n8n server.

The Full CVE Breakdown

CVE-2026-27577 (CVSS 9.4) — Expression sandbox escape. A missing case in the AST rewriter allows the process object to slip through untransformed. Any authenticated expression gains full RCE access. JavaScript's {...process} spread operator or Python's __objclass__ attribute bypass the sandbox entirely.

CVE-2026-27493 (CVSS 9.5) — Unauthenticated form injection. Double-evaluation in Form nodes allows expression injection through public endpoints without credentials.

CVE-2026-27495 (CVSS 9.4) — Code injection in JavaScript Task Runner sandbox. Exploits the isolated runner execution environment.

CVE-2026-27497 (CVSS 9.4) — Arbitrary code execution via Merge node SQL query mode. Allows file writing and command execution through crafted queries.

Why This Matters Beyond the Patch

n8n instances typically hold significant secrets. The N8N_ENCRYPTION_KEY environment variable protects stored credentials for:

• Cloud provider API keys (AWS, GCP, Azure)
• Database connection strings
• OAuth tokens for SaaS integrations
• Payment processor credentials (Stripe, PayPal)
• Communication platform tokens (Slack, Discord, Twilio)

Breaking out of the sandbox means attackers can decrypt this key and access everything the workflow automation platform connects to. A single compromised n8n instance can cascade into dozens of connected services.

Affected Versions and Fixes

All four vulnerabilities affect:

• n8n versions below 1.123.22
• n8n versions 2.0.0 to 2.9.2
• n8n versions 2.10.0

Fixed in:

• 1.123.22 (for 1.x deployments)
• 2.9.3 (for 2.9.x deployments)
• 2.10.1 (for 2.10.x deployments)

Immediate Mitigations

If patching requires scheduling, these workarounds reduce exposure:

Disable Form nodes entirely:

NODES_EXCLUDE=n8n-nodes-base.form,n8n-nodes-base.formTrigger

Disable Merge node SQL mode:

NODES_EXCLUDE=n8n-nodes-base.merge

Use external runner mode (mitigates CVE-2026-27495):

N8N_RUNNERS_MODE=external

Restrict workflow permissions to fully trusted users only. Even authenticated exploitation requires workflow creation or modification rights.

The Recurring Theme

n8n's architecture relies heavily on sandboxed expression evaluation. Each patch addresses a specific escape technique, but the fundamental challenge remains: safely executing user-controlled expressions in a language (JavaScript) not designed for sandboxing.

Organizations running n8n should consider:

• Network segmentation limiting what the n8n host can reach
• Credential rotation after patching to invalidate potentially compromised secrets
• Monitoring for unusual outbound connections from n8n infrastructure

The platform's value proposition—connecting everything—becomes a liability when the sandbox fails. Every integration credential becomes attack surface.