CVE-2026-1470

CriticalPublic PoC

Published: 27 January 2026

Published

27 January 2026

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0194 83.6th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An…

authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through vendor patching directly addresses the RCE vulnerability in the expression evaluation system lacking isolation.

SI-10 Information Input Validation good match

prevent

Information input validation neutralizes directives in user-supplied expressions, preventing arbitrary code execution per CWE-95.

SC-39 Process Isolation good match

prevent

Process isolation separates the execution context of workflow expressions from the underlying runtime, mitigating insufficient isolation.

Security SummaryAI

CVE-2026-1470 is a critical Remote Code Execution (RCE) vulnerability in n8n, an open-source workflow automation tool. The issue resides in the workflow Expression evaluation system, where expressions supplied by authenticated users during workflow configuration are evaluated in an execution context that lacks sufficient isolation from the underlying runtime. This flaw, associated with CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-01-27.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity and no user interaction required. Exploitation allows the execution of arbitrary code under the privileges of the n8n process, potentially leading to complete compromise of the affected instance. This includes unauthorized access to sensitive data, modification of workflows, and performance of system-level operations.

The vulnerability is addressed via a patch in the n8n GitHub commit at https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04. Further technical details on the vulnerability and exploitation are provided in JFrog's research advisory at https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/.

Details

CWE(s): CWE-95

Affected Products

n8n

2.5.0 · ≤ 1.123.17 · 2.0.0 — 2.4.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-1470 is a remote code execution vulnerability in the public-facing n8n workflow automation tool, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04
Patch · reefs@jfrog.com
https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/
Exploit, Patch, Third Party Advisory · reefs@jfrog.com