Two serious security flaws affecting the n8n workflow automation platform have exposed weaknesses in the product’s sandboxing mechanisms for JavaScript and Python code.
The vulnerabilities, disclosed by the JFrog Security Research team, could allow authenticated attackers to run arbitrary commands on systems hosting vulnerable n8n instances, including the company’s cloud service and self-hosted deployments that have not been patched.
n8n is a widely adopted automation platform that blends AI-driven capabilities with business process orchestration. Because workflows often require custom scripting, the platform relies on sandbox controls designed to prevent user-supplied code from accessing the underlying operating system. According to the researchers, those controls can be bypassed despite recent security improvements.
The first flaw, tracked as CVE-2026-1470 and rated a CVSS 3.1 score of 9.9 Critical, affects n8n’s JavaScript expression engine. The second, CVE-2026-0863, is rated 8.5 High and impacts Python execution in the Code node when running in “Internal” mode.
In both cases, the researchers demonstrated that gaps in abstract syntax tree validation could be abused to escape the sandbox and achieve full remote code execution (RCE).
Exploitation requires the ability to create or modify workflows, a capability often granted to legitimate users. Once abused, the vulnerabilities allow attackers to execute commands in the context of the main n8n service, potentially exposing environment variables, sensitive data and system-level access.
In the JavaScript issue, the researchers found that the sandbox logic did not adequately handle a deprecated yet still-supported language feature: the with statement.
By manipulating how identifiers were resolved, they were able to indirectly access the Function constructor and execute arbitrary code. The vulnerability was considered particularly severe because the code ran directly within n8n’s primary process.
The Python flaw stemmed from a different class of weakness. While n8n uses a highly restrictive policy that blocks imports and many built-in functions, the researchers showed that Python’s string formatting and changes introduced in Python 3.10 could be combined to recover restricted objects through exception handling. This made it possible to bypass the sandbox even without direct access to forbidden functions.
n8n users are advised to upgrade as soon as possible. CVE-2026-1470 is fixed in versions 1.123.17, 2.4.5 and 2.5.1, while CVE-2026-0863 is addressed in versions 1.123.14, 2.3.5 and 2.4.2. All earlier versions remain vulnerable.
Image credit: Stock all / Shutterstock.com