n8n Sandbox Escape Flaws Allow Full Server Compromise

JFrog security researchers have disclosed two high-severity sandbox escape vulnerabilities in n8n, the popular workflow automation platform. CVE-2026-1470 and CVE-2026-0863 both allow authenticated users to break out of n8n's expression sandboxes and execute arbitrary code on the underlying server.

This marks the third set of critical n8n vulnerabilities disclosed in January. We previously covered CVE-2026-21858, nicknamed "Ni8mare," which allowed unauthenticated attackers to take over vulnerable instances. These new flaws require authentication but are equally dangerous once that threshold is crossed.

Two Paths to Code Execution

n8n allows users to write JavaScript and Python expressions to transform data within workflows. To prevent malicious code, the platform runs these expressions inside sandboxes meant to restrict access to system resources.

Both vulnerabilities bypass those restrictions.

CVE-2026-1470 (CVSS 9.9) targets the JavaScript sandbox. The flaw exists in how n8n handles the JavaScript "with" statement. By manipulating how identifiers resolve, attackers can indirectly access the Function constructor and execute arbitrary code.

JFrog describes it as an "AST sandbox escape vulnerability caused by improper handling of the JavaScript 'with' statement." The code runs directly within n8n's primary process, meaning successful exploitation gives attackers the same privileges as the n8n service itself.

CVE-2026-0863 targets the Python sandbox. It combines format-string-based object introspection with Python 3.10+ AttributeError.obj behavior to regain access to restricted builtins and imports. Once those restrictions fall, attackers can import OS modules and execute system commands.

Impact Assessment

Both vulnerabilities require authentication. In default n8n deployments, this means attackers need valid credentials or access to an already-compromised account. However, several factors increase real-world risk:

Shared workspaces are common in enterprise n8n deployments. An authenticated user who shouldn't have code execution privileges can elevate to server-level access.

Credential theft from other breaches may provide attackers with n8n logins. Any organization using single-sign-on or reused passwords across services faces increased exposure.

Self-hosted instances running outdated versions remain vulnerable indefinitely unless updated. n8n's cloud platform has already been patched.

Once attackers achieve code execution, they can access all credentials stored within n8n workflows—API keys, database connection strings, OAuth tokens, and other secrets used to connect services. A compromised n8n instance typically provides lateral movement opportunities across an organization's infrastructure.

Patched Versions

n8n has released fixes across multiple version branches:

For CVE-2026-1470 (JavaScript sandbox):

• Version 1.123.17
• Version 2.4.5
• Version 2.5.1

For CVE-2026-0863 (Python sandbox):

• Version 1.123.14
• Version 2.3.5
• Version 2.4.2

Organizations running self-hosted n8n should update immediately. The n8n cloud platform has already deployed fixes.

Defense in Depth

Beyond patching, organizations should review their n8n deployments:

1. Audit user access to identify accounts that no longer need n8n privileges
2. Review workflow credentials stored within the platform—rotate any that may have been exposed
3. Network segment n8n instances to limit lateral movement if compromise occurs
4. Enable authentication logging to detect suspicious access patterns
5. Consider IP restrictions for n8n admin interfaces

The pattern of repeated critical vulnerabilities in n8n—three serious disclosures in January alone—suggests organizations should treat workflow automation platforms as high-value targets requiring the same security attention as other critical infrastructure.

The Automation Security Challenge

Workflow automation tools occupy a unique position in enterprise environments. They connect disparate systems, often holding credentials for databases, cloud services, payment processors, and internal applications. A compromised automation platform provides attackers with pre-built pathways through an organization's infrastructure.

n8n isn't alone in facing security scrutiny. The category broadly faces challenges around sandbox security, credential storage, and the inherent tension between flexibility and restriction. Platforms that allow arbitrary code execution will continue attracting vulnerability researchers and attackers alike.

For security teams, the takeaway is clear: automation platforms deserve inclusion in vulnerability management programs, penetration testing scope, and incident response playbooks. The operational convenience they provide comes with commensurate security responsibility.