Cybersecurity researchers from JFrog have identified two high-severity vulnerabilities in the n8n workflow automation platform that could lead to full system compromise. The most critical flaw, tracked as CVE-2026-1470 with a CVSS score of 9.9, is an eval injection vulnerability that enables authenticated users to bypass the JavaScript expression sandbox and execute arbitrary code on the platform's main node. This discovery comes shortly after reports of a separate critical unauthenticated flaw affecting nearly 40,000 instances.
The second vulnerability, CVE-2026-0863 (CVSS 8.5), targets the platform's Python task runner, allowing attackers to escape sandbox restrictions and run arbitrary commands on the underlying operating system. Given that n8n often centralizes credentials for AI models, databases, and internal IAM systems, these escapes effectively provide a "skeleton key" to an organization's entire infrastructure. Users are strongly advised to update to the latest patched versions, including 1.123.17, 2.4.5, or 2.5.1, to secure their environments.
Top comments (0)