CVE-2026-27494

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.10.1 n8n versions prior to 2.9.3 n8n versions prior to 1.123.22

Description An authenticated user with permission to create or modify workflows could exploit the Python Code node to escape the sandbox. The sandbox did not sufficiently restrict access to certain built-in Python objects, potentially allowing an attacker to exfiltrate file contents or achieve Remote Code Execution (RCE). On instances using internal Task Runners (default runner mode), this could lead to a full compromise of the n8n host. On instances using external Task Runners, an attacker might gain access to or impact other tasks executed on the Task Runner. Task Runners must be enabled using the N8N RUNNERS ENABLED variable.

Recommendations Upgrade to n8n version 2.10.1 or later. Upgrade to n8n version 2.9.3 or later. Upgrade to n8n version 1.123.22 or later. If upgrading is not immediately possible, limit workflow creation and editing permissions to fully trusted users only. If upgrading is not immediately possible, disable the Code node by adding n8n-nodes-base.code to the NODES EXCLUDE environment variable.