Breaking Out of the Box: n8n JavaScript Sandbox Escape (CVE-2026-27495)
Vulnerability ID: CVE-2026-27495
CVSS Score: 9.4
Published: 2026-02-25
A critical sandbox escape vulnerability in the n8n workflow automation platform allowing authenticated users to execute arbitrary code on the host server. The flaw resides in the JavaScript Task Runner, where insufficient isolation allows attackers to climb the prototype chain and access the host process context.
TL;DR
n8n's JavaScript Task Runner failed to properly isolate user code, allowing a classic 'prototype climbing' attack. By accessing the constructor of the this context, attackers can reach the host's Function constructor, return the global process object, and execute system commands (RCE). Fixed in versions 1.123.22, 2.9.3, and 2.10.1.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-94 (Improper Control of Generation of Code)
- Attack Vector: Network (Authenticated)
- CVSS: 9.4 (Critical)
- Impact: Remote Code Execution (RCE)
- Privileges Required: Low (Workflow Editor)
- Exploit Status: PoC Available
Affected Systems
- n8n Workflow Automation Platform
-
n8n: < 1.123.22 (Fixed in:
1.123.22) -
n8n: >= 2.0.0, < 2.9.3 (Fixed in:
2.9.3) -
n8n: 2.10.0 (Fixed in:
2.10.1)
Exploit Details
-
GitHub Security Advisory: Prototype climbing technique using
this.constructor.constructorto returnprocess.
Mitigation Strategies
- Input Sanitization (Sandbox Hardening)
- Process Isolation (External Runners)
- Privilege Reduction
Remediation Steps:
- Upgrade n8n to version 1.123.22, 2.9.3, or 2.10.1 immediately.
- Verify that N8N_RUNNERS_ENABLED is handled correctly post-update.
- If patching is impossible, set N8N_RUNNERS_ENABLED=false to disable the vulnerable component.
References
Read the full report for CVE-2026-27495 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)