CVE-2026-0863

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.14 n8n versions prior to 2.3.5 n8n versions prior to 2.4.2

Description An issue exists in n8n that allows an attacker to bypass the python-task-executor sandbox restrictions. This bypass is achieved through the use of string formatting and exception handling, enabling the execution of arbitrary unrestricted Python code in the underlying operating system. The vulnerability can be exploited by an authenticated user with basic permissions via the Code block. In instances operating under "Internal" execution mode, a full n8n instance takeover is possible. If the instance operates under "External" execution mode, arbitrary code execution occurs within a Sidecar container, reducing the impact. The vulnerability is related to a Python 3.10 error-handling feature that bypasses static analysis. The vulnerability is exploitable through the use of f-strings and the traceback object.

Recommendations Update n8n to version 1.123.14 or later. Update n8n to version 2.3.5 or later. Update n8n to version 2.4.2 or later.