A team of cybersecurity experts has unearthed two critically severe vulnerabilities within the n8n workflow automation platform. Both flaws permit authenticated users to execute arbitrary code on the target system, potentially facilitating a comprehensive takeover of the entire platform.
The anomalies were identified by researchers at JFrog. The first, designated as CVE-2026-1470 with a near-perfect CVSS score of 9.9, involves code injection via the eval mechanism, enabling an adversary to circumvent the Expression Sandbox protections. A successful exploitation allows for the execution of unauthorized JavaScript directly on the primary n8n node.
The second vulnerability, CVE-2026-0863, carries a severity rating of 8.5. It afflicts the python-task-executor environment, allowing for the bypass of its inherent restrictions and granting the ability to execute arbitrary Python commands at the operating system level. While both exploits necessitate prior authentication, they pose a significant threat—particularly in configurations utilizing the “internal” task execution mode. The developers of n8n caution that this mode lacks sufficient process isolation and strongly advocate for the adoption of the “external” execution mode in production environments.
The report emphasizes that n8n is frequently utilized to orchestrate sensitive internal processes, including interfacing with Large Language Model (LLM) APIs, sales data repositories, and internal access management systems. A compromise in this sector could grant an antagonist nearly unfettered authority over an organization’s infrastructure.
To mitigate these risks, users must transition to the remediated software iterations. For CVE-2026-1470, the secure versions are 1.123.17, 2.4.5, or 2.5.1. For CVE-2026-0863, users should upgrade to 1.123.14, 2.3.5, or 2.4.2.
These disclosures follow closely behind another critical vulnerability in n8n dubbed “Ni8mare” (CVE-2026-21858), which permits an unauthenticated attacker to seize total control of a vulnerable instance. Telemetry from the Shadowserver Foundation indicates that as of January 27, 2026, over 39,000 instances remain perilously exposed.
According to JFrog, these incidents underscore the formidable challenge of isolating high-level language interpreters like JavaScript and Python. Despite multi-layered validation, blacklisted constructs, and Abstract Syntax Tree (AST) analysis, sophisticated bypasses—leveraging legacy language features, interpreter idiosyncrasies, or exception-handling behaviors—persist as viable vectors for sandbox escapes.