CVE-2026-27577
Published: 25 February 2026
Description
n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows…
more
could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the code injection vulnerability in n8n's expression evaluation by requiring timely installation of security patches to fixed versions 2.10.1, 2.9.3, or 1.123.22.
Enforces least privilege by limiting workflow creation and modification permissions to fully trusted users only, preventing low-privileged authenticated attackers from exploiting the vulnerability.
Requires validation of user-supplied expressions in workflow parameters to block crafted inputs that lead to arbitrary system command execution.
Security SummaryAI
CVE-2026-27577 is a code injection vulnerability (CWE-94) in the expression evaluation feature of n8n, an open-source workflow automation platform. It affects n8n versions prior to 2.10.1, 2.9.3, and 1.123.22, building on exploits previously addressed in CVE-2025-68613. The flaw enables attackers to execute arbitrary system commands on the host running n8n through specially crafted expressions embedded in workflow parameters.
An authenticated user with permissions to create or modify workflows can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation grants high-impact outcomes, including full confidentiality, integrity, and availability compromise on the host system, as reflected in the CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). This could allow attackers to run arbitrary OS commands, potentially leading to full server takeover.
The vulnerability has been patched in n8n versions 2.10.1, 2.9.3, and 1.123.22; users are advised to upgrade to these or later versions for full remediation. Official advisories recommend limiting workflow creation and editing permissions to fully trusted users only as a temporary measure. Additionally, deploying n8n in a hardened environment with restricted OS privileges and network access can reduce potential impact, though these workarounds do not fully eliminate the risk. Relevant details are available in n8n security advisories and commit histories on GitHub.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote code injection in public-facing n8n application for authenticated users, directly facilitating T1190 (Exploit Public-Facing Application) and arbitrary OS command execution via T1059 (Command and Scripting Interpreter).