{"id":234,"date":"2026-03-11T16:11:47","date_gmt":"2026-03-11T16:11:47","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=234"},"modified":"2026-03-11T16:11:47","modified_gmt":"2026-03-11T16:11:47","slug":"critical-n8n-flaws-allow-remote-code-execution-and-exposure-of-stored-credentials","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=234","title":{"rendered":"Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Mar 11, 2026<\/span><\/span><span class=\"p-tags\"> Vulnerability \/ Application Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiMTLKLDP1BIQuPb3-fnJrl5cpfhjHBhFF0Onswskul1eyu4fTPyEpOzUa13oWHQsl-83zPhaSVWBfIDj_RIeaQFrbr9VwCDLVXfUp-QDt5V6Dtd91VvXCO5O0Zm9hPTLOUhbXPQKb6tKdWecJ_ejME8fZX8rQRsRFkg67WdzlSv-g0mOuvhcsFKh9eeG-A\/s1700-e365\/n8n.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>Cybersecurity researchers have disclosed details of two now-patched security flaws in the n8n workflow automation platform, including two critical bugs that could result in arbitrary command execution.<\/p>\n<p>The vulnerabilities are listed below &#8211;<\/p>\n<ul>\n<li><strong><a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-vpcf-gvg4-6qwr\" rel=\"noopener\" target=\"_blank\">CVE-2026-27577<\/a><\/strong> (CVSS score: 9.4) &#8211; Expression sandbox escape leading to remote code execution (RCE)<\/li>\n<li><strong><a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-75g8-rv7v-32f7\" rel=\"noopener\" target=\"_blank\">CVE-2026-27493<\/a><\/strong> (CVSS score: 9.5) &#8211; Unauthenticated expression evaluation via n8n&#8217;s Form nodes<\/li>\n<\/ul>\n<p>\u00abCVE-2026-27577 is a sandbox escape in the expression compiler: a missing case in the AST rewriter lets process slip through untransformed, giving any authenticated expression full RCE,\u00bb Pillar Security researcher Eilon Cohen, who discovered and reported the issues, <a href=\"https:\/\/www.pillar.security\/blog\/zero-click-unauthenticated-rce-in-n8n-a-contact-form-that-executes-shell-commands\" rel=\"noopener\" target=\"_blank\">said<\/a> in a report shared with The Hacker News.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The cybersecurity company described CVE-2026-27493 as a \u00abdouble-evaluation bug\u00bb in n8n&#8217;s Form nodes that could be abused for expression injection by taking advantage of the fact that the form endpoints are public by design and require neither authentication nor an n8n account.<\/p>\n<p><a name=\"more\"\/><\/p>\n<p>All it takes for successful exploitation is to leverage a public \u00abContact Us\u00bb form to execute arbitrary shell commands by simply providing a payload as input into the Name field.<\/p>\n<p>In an advisory released late last month, n8n said CVE-2026-27577 could be weaponized by an authenticated user with permission to create or modify workflows to trigger unintended system command execution on the host running n8n via crafted expressions in workflow parameters.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEikVLx0cfKQLD34PZ2yoj-CYprRJ_mQkkAB_D2Y5H8_Vw0NM24o_7OxpYSbyp12BzYTFulE5SozgsOwC7_u2Sc4FL9ZWw9slrNxc6Tcuhcf7SzvqOesGDb1_wQEyF8CebGB77mhZBYukY7sqBcSsRHH5wXidkEFDWJEPPrZuoYXBsyq5pH0DJ18166hoWb0\/s1700-e365\/para.png\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEikVLx0cfKQLD34PZ2yoj-CYprRJ_mQkkAB_D2Y5H8_Vw0NM24o_7OxpYSbyp12BzYTFulE5SozgsOwC7_u2Sc4FL9ZWw9slrNxc6Tcuhcf7SzvqOesGDb1_wQEyF8CebGB77mhZBYukY7sqBcSsRHH5wXidkEFDWJEPPrZuoYXBsyq5pH0DJ18166hoWb0\/s1700-e365\/para.png\" alt=\"\" border=\"0\" data-original-height=\"574\" data-original-width=\"1046\"\/><\/a><\/div>\n<p>N8n also noted that CVE-2026-27493, when chained with an expression sandbox escape like CVE-2026-27577, could \u00abescalate to remote code execution on the n8n host.\u00bb Both vulnerabilities affect the self-hosted and cloud deployments of n8n &#8211;<\/p>\n<ul>\n<li>&lt; 1.123.22, &gt;= 2.0.0 &lt; 2.9.3, and &gt;= 2.10.0 &lt; 2.10.1 &#8211; Fixed in versions 2.10.1, 2.9.3, and 1.123.22<\/li>\n<\/ul>\n<p>If immediate patching of CVE-2026-27577 is not an option, users are advised to limit workflow creation and editing permissions to fully trusted users and deploy n8n in a hardened environment with restricted operating system privileges and network access.<\/p>\n<p>As for CVE-2026-27493, n8n recommends the following mitigations &#8211;<\/p>\n<ul>\n<li>Review the usage of form nodes manually for the above-mentioned preconditions.<\/li>\n<li>Disable the Form node by adding n8n-nodes-base.form to the NODES_EXCLUDE environment variable.<\/li>\n<li>Disable the Form Trigger node by adding n8n-nodes-base.formTrigger to the NODES_EXCLUDE environment variable.<\/li>\n<\/ul>\n<p>\u00abThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures,\u00bb the maintainers cautioned.<\/p>\n<p>Pillar Security said an attacker could exploit these flaws to read the N8N_ENCRYPTION_KEY environment variable and use it to decrypt every credential stored in n8n&#8217;s database, including AWS keys, database passwords, OAuth tokens, and API keys.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fs-report-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjWQgUDT06NQu9vGMPC7BWROmJABTIWg058l7oGKD-v3ZchC8_66xjbclOE9koChsRf5CEKgqrXTVrne_00PdGokh3brhvF-g33I4FYYpTukrvuNQWXZOVAfon6-2axyRoVJ4uOrXPqRhxfZUaJWEm-K9esUS3ql8VSVWAKLqyfhHLgMSXhkMTkcOtGSX7R\/s728-e100\/fs-report-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>N8n versions 2.10.1, 2.9.3, and 1.123.22 also resolve two more critical vulnerabilities that could also be abused to achieve arbitrary code execution &#8211;<\/p>\n<ul>\n<li><strong><a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-jjpj-p2wh-qf23\" rel=\"noopener\" target=\"_blank\">CVE-2026-27495<\/a><\/strong> (CVSS score: 9.4) &#8211; An authenticated user with permission to create or modify workflows could exploit a code injection vulnerability in the JavaScript Task Runner sandbox to execute arbitrary code outside the sandbox boundary.<\/li>\n<li><strong><a href=\"https:\/\/github.com\/n8n-io\/n8n\/security\/advisories\/GHSA-wxx7-mcgf-j869\" rel=\"noopener\" target=\"_blank\">CVE-2026-27497<\/a><\/strong> (CVSS score: 9.4) &#8211; An authenticated user with permission to create or modify workflows could leverage the Merge node&#8217;s SQL query mode to execute arbitrary code and write arbitrary files on the n8n server.<\/li>\n<\/ul>\n<p>Besides limiting workflow creation and editing permissions to trusted users, n8n has outlined the workarounds below for each flaw &#8211;<\/p>\n<ul>\n<li><strong>CVE-2026-27495<\/strong> &#8211; Use external runner mode (N8N_RUNNERS_MODE=external) to limit the blast radius.<\/li>\n<li><strong>CVE-2026-27497<\/strong> &#8211; Disable the Merge node by adding n8n-nodes-base.merge to the NODES_EXCLUDE environment variable.<\/li>\n<\/ul>\n<p>While n8n makes no mention of any of these vulnerabilities being exploited in the wild, users are advised to keep their installations up-to-date for optimal protection.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Mar 11, 2026 Vulnerability \/ Application Security Cybersecurity researchers have disclosed details of two now-patched security flaws in the n8n workflow automation platform, including two critical bugs that could&hellip;<\/p>\n","protected":false},"author":1,"featured_media":235,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[10,446,58,13,603,11,602,12,604],"class_list":["post-234","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-code","tag-credentials","tag-critical","tag-execution","tag-exposure","tag-flaws","tag-n8n","tag-remote","tag-stored"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=234"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/234\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/235"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}