CVE-2026-27493

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.10.1 n8n versions prior to 2.9.3 n8n versions prior to 1.123.22

Description A second-order expression injection exists in Form nodes. This allows an unauthenticated attacker to inject and evaluate arbitrary expressions by submitting crafted form data. If combined with an expression sandbox escape, this can lead to remote code execution on the host. Exploitation requires a specific configuration where a form node field interpolates a value from an unauthenticated user and the field value begins with an = character, triggering a double-evaluation of the content.

Recommendations Update to version 2.10.1 or later. Update to version 2.9.3 or later. Update to version 1.123.22 or later. Manually review the usage of form nodes for the mentioned preconditions. Disable the Form node by adding n8n-nodes-base.form to the NODES EXCLUDE environment variable. Disable the Form Trigger node by adding n8n-nodes-base.formTrigger to the NODES EXCLUDE environment variable.