n8n RCE: When 'Do Not Enter' is Just a Suggestion
Vulnerability ID: CVE-2026-27577
CVSS Score: 9.4
Published: 2026-02-25
A critical Remote Code Execution (RCE) vulnerability in n8n (CVE-2026-27577) allows attackers to compromise the host system by chaining a trivial authentication bypass in the ChatTrigger node with a sophisticated sandbox escape. This isn't just a minor bug; it's a full-system compromise waiting to happen for any instance exposing the LangChain integration. By exploiting a logic error in cookie validation and a parsing oversight in the Abstract Syntax Tree (AST) rewriter, attackers can execute arbitrary system commands with the privileges of the n8n process.
TL;DR
n8n's ChatTrigger node checked if an auth cookie existed, not if it was valid. Combined with a failure to sanitize the JavaScript spread operator (...) and Python's __objclass__ in the execution sandbox, this allows unauthenticated RCE.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-94 (Code Injection)
- Attack Vector: Network (AV:N)
- CVSS Score: 9.4 (Critical)
- Auth Required: None (via Bypass)
- Exploit Status: High Probability / Trivial
- Impact: Full System Compromise
Affected Systems
- n8n Workflow Automation (Self-Hosted)
- n8n Cloud (Fixed via managed updates)
- LangChain Integration for n8n
-
n8n: < 1.123.22 (Fixed in:
1.123.22) -
n8n: 2.0.0 - < 2.9.3 (Fixed in:
2.9.3) -
n8n: 2.10.0 (Fixed in:
2.10.1)
Code Analysis
Commit: 1479aab
Fix: Prevent expression sandbox escape via spread operator and property access
@@ -120,6 +120,7 @@ export class ExpressionSandbox {
+ SpreadElement: (node) => this.visitSpreadElement(node),
...
Commit: 9e5212e
Fix: Validate auth cookie signature in GenericFunctions
@@ -45,7 +45,7 @@
- if (!authCookie && webhookName !== 'setup') {
+ if (!validateCookie(authCookie) && webhookName !== 'setup') {
Exploit Details
- Internal Research: Sandbox escape POC using JavaScript spread operator.
- Internal Research: Original context for ChatTrigger auth bypass.
Mitigation Strategies
- Update n8n to patched versions immediately.
- Place n8n behind a VPN or authenticated reverse proxy (e.g., Cloudflare Zero Trust, Authelia).
- Run n8n in a restricted Docker container with no root privileges and read-only filesystems.
Remediation Steps:
- Pull the latest Docker image:
docker pull n8nio/n8n:latest - Verify version is >= 2.10.1, 2.9.3, or 1.123.22.
- Restart the container.
- Audit existing workflows for suspicious
ChatTriggernodes or unauthorized modifications.
References
Read the full report for CVE-2026-27577 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)