A technical analysis by Pillar Security reported two now patched critical vulnerabilities in the n8n workflow automation platform in March 2026 that could allow remote code execution.
KEY FACTS
- Vulnerabilities CVE-2026-27577 and CVE-2026-27493
- Impact possible remote code execution and credential exposure
- Affected versions some 1.x and 2.x releases prior to latest fixes
- Patches fixed in releases 2.10.1 2.9.3 and 1.123.22
CVE-2026-27577 is a sandbox escape in the expression compiler where a missing case in the AST rewriter lets a process token slip through untransformed and allows an authenticated expression to execute system commands on the host.
A separate issue CVE-2026-27493 is a double evaluation bug in Form nodes that permits unauthenticated expression evaluation through public form endpoints. A crafted payload submitted in a form field can be used to run shell commands without an account.
Self-hosted and cloud deployments are impacted. The CVE-2026-27577 advisory lists fixed versions as 2.10.1 2.9.3 and 1.123.22.
Exploitation can expose the N8N_ENCRYPTION_KEY environment variable and allow decryption of stored credentials. Mitigations advised include restricting workflow creation and editing to trusted users and running the platform with limited operating system privileges and network access. Additional temporary workarounds include disabling Form and Form Trigger nodes via the NODES_EXCLUDE environment variable and using external runner mode to reduce the blast radius for other sandbox issues.
WHY IT MATTERS
The flaws enable both unauthenticated and authenticated vectors to reach command execution and credential disclosure, increasing risk for automated environments. Administrators should apply the provided fixes or use the stated mitigations promptly to limit exposure.