CVE-2026-27498

CVE-2026-27498 is a remote code execution vulnerability (CWE-94) affecting n8n, an open source workflow automation platform, in versions prior to 2.2.0 and 1.123.8. The flaw arises from the ability of authenticated users with permission to create or modify workflows to chain the Read/Write Files from Disk node with git operations. By writing to specific configuration files and triggering a git operation, attackers can execute arbitrary shell commands on the n8n host. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-25.

An authenticated attacker with workflow creation or modification permissions can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants full remote code execution on the underlying n8n host, potentially allowing complete compromise including data exfiltration, persistence, or lateral movement.

The issue is fixed in n8n versions 2.2.0 and 1.123.8; users should upgrade to these or later versions for remediation. As temporary mitigations, administrators can limit workflow creation and editing permissions to fully trusted users only and/or disable the Read/Write Files from Disk node by setting the `n8n-nodes-base.readWriteFile` value in the `NODES_EXCLUDE` environment variable. These workarounds do not fully eliminate the risk and are intended for short-term use only. Relevant details are available in the n8n security advisory (GHSA-x2mw-7j39-93xq) and associated GitHub commits and release notes.