CVE-2026-27493

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.10.1 n8n versions prior to 2.9.3 n8n versions prior to 1.123.22

Description A second-order expression injection issue exists in the Form nodes of this open source workflow automation platform. An unauthenticated attacker can inject and evaluate arbitrary expressions by submitting crafted form data. This occurs when a form node interpolates a value provided by an unauthenticated user and the field value begins with an = character, triggering a double-evaluation of the content. While the injection is initially limited to data within the expression context, it can escalate to remote code execution on the host if chained with an expression sandbox escape. Exploitation requires a specific workflow configuration where user input is reflected back, such as on a confirmation page.

Recommendations Upgrade to version 2.10.1 or later. Upgrade to version 2.9.3 or later. Upgrade to version 1.123.22 or later. Review the usage of form nodes manually to ensure no fields prefix user-provided values with an = character. Disable the Form node by adding n8n-nodes-base.form to the NODES EXCLUDE environment variable. Disable the Form Trigger node by adding n8n-nodes-base.formTrigger to the NODES EXCLUDE environment variable.