Critical Vulnerabilities in n8n Workflow Automation Platform

The Centre for Cybersecurity Belgium (CCB) has issued a warning regarding critical vulnerabilities affecting n8n, a workflow automation platform. These vulnerabilities, identified as CVE-2026-27495, CVE-2026-27577, and CVE-2026-27497, impact n8n versions prior to 2.10.1, 2.9.3, and 1.123.22. Exploitation of these vulnerabilities allows authenticated users with permissions to create or modify workflows to execute arbitrary code or system commands on the host. N8n’s role in automating system workflows and its integration with AI capabilities make vulnerable instances prime targets for attackers aiming to gain control over interconnected systems. Successful exploitation can lead to complete system compromise, unauthorized actions, and significant impact on confidentiality, integrity, and availability.

Attack Chain

1. An attacker gains authenticated access to an n8n instance. This requires valid user credentials.
2. The attacker leverages their permissions to create or modify workflows.
3. CVE-2026-27495: The attacker crafts a malicious workflow that exploits a vulnerability in the JavaScript Task Runner sandbox to execute arbitrary code outside of the sandbox boundary, if the instance uses the internal Task Runner.
4. CVE-2026-27577: The attacker crafts malicious expressions within workflow parameters to trigger unintended system command execution on the host.
5. CVE-2026-27497: The attacker uses the Merge node’s SQL query mode with a malicious SQL query to execute arbitrary code and write arbitrary files on the host.
6. The injected code or commands execute with the privileges of the n8n process.
7. The attacker gains control of the n8n instance, potentially compromising sensitive data and system configurations.
8. The attacker leverages the compromised n8n instance to target interconnected systems and automate malicious workflows, potentially leading to further compromise and data exfiltration.

Impact

Successful exploitation of these vulnerabilities can lead to full compromise of the n8n instance. This allows attackers to execute arbitrary code, potentially leading to data breaches, system downtime, and unauthorized access to interconnected systems. Given n8n’s role in automating workflows across various platforms and services, a successful attack can have far-reaching consequences for organizations relying on the platform. The vulnerabilities affect the confidentiality, integrity, and availability of the system and associated data.

Recommendation

• Immediately patch all n8n instances to versions 2.10.1, 2.9.3, or 1.123.22 or later to remediate CVE-2026-27495, CVE-2026-27577, and CVE-2026-27497 (Affected software).
• Upscale monitoring and detection capabilities to identify any suspicious activity related to n8n workflows and system command execution, as recommended by the CCB (Recommended Actions).
• Implement strict access controls and regularly review user permissions to limit the ability of potentially compromised accounts to create or modify workflows (Description).