Vulnerabilities Critical N8n Vulnerabilities Allowed Server Takeover The bugs allowed unauthenticated attackers to execute arbitrary code, steal credentials, and take over servers. By Ionut Arghire | March 12, 2026 (5:54 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Two critical-severity vulnerabilities in n8n could have been exploited for unauthenticated remote code execution (RCE) and sandbox escape, exposing all credentials stored in the n8n database, Pillar Security reports. Tracked as CVE-2026-27493 (CVSS score of 9.5), the first bug is described as a second-order expression injection issue impacting the open source workflow automation platform’s Form nodes. Successful exploitation could have allowed an unauthenticated attacker to inject arbitrary commands into a Name field and receive the output of the executed command. The security defect existed because n8n relied on two expression evaluation passes to evaluate the user’s submission, with the attacker’s payload evaluated as a new expression during the second pass. The vulnerability, Pillar explains , could be chained with the second critical flaw, tracked as CVE-2026-27577 (CVSS score of 9.4), to escape the n8n sandbox and execute commands on the host. According to the security team, the flaw allowed for a malicious payload to bypass sandbox protections and be executed because the vulnerable node operates at the compilation stage, before the runtime sanitizers. Advertisement. Scroll to continue reading. Both security defects were addressed in late February in n8n versions 2.10.1, 2.9.3, and 1.123.22. The patch removed the second expression evaluation pass and certain previously accepted parameters, added several global identifiers to the sandbox’s blocked identifier list, and hardened AST-aware identifier analysis. According to Pillar, the two vulnerabilities impacted both self-hosted and cloud deployments and could be exploited to extract all credentials from the n8n database, including AWS keys, passwords, OAuth tokens, and API keys. “n8n is a credential vault by function. It stores keys to every system it connects to. A single sandbox escape exposes the n8n instance and every connected system,” Pillar notes. Because Form endpoints are intended to be accessible from the internet, the security firm notes, CVE-2026-27493 could be exploited by anyone with a single form submission and a GET request. “For n8n Cloud and multi-tenant deployments, the impact extends beyond the individual instance. As demonstrated previously, sandbox escapes on n8n Cloud grant access to shared infrastructure, creating cross-tenant risk: a single public form on one tenant’s workflow could serve as the entry point,” Pillar notes. Related: SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities Related: Critical N8n Sandbox Escape Could Lead to Server Compromise Related: N8n Vulnerabilities Could Lead to Remote Code Execution Related: Critical Vulnerability Exposes N8n Instances to Takeover Attacks Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities Quantro Security Emerges From Stealth With $2.5 Million in Funding Microsoft Patches 83 Vulnerabilities Adobe Patches 80 Vulnerabilities Across Eight Products SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities Escape Raises $18 Million to Automate Pentesting Recent Ivanti Endpoint Manager Flaw Exploited in Attacks ClickFix Attack Uses Windows Terminal to Evade Detection Latest News Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea Senate Confirms Joshua Rudd to Lead NSA and US Cyber Command MedTech Giant Stryker Crippled by Iran-Linked Hacker Attack Wiz Joins Google Cloud as Landmark Acquisition Closes CISO Conversations: Aimee Cardwell 238,000 Impacted by Bell Ambulance Data Breach Scanner Raises $22 Million for AI-Powered Threat Hunting OpenAI to Acquire AI Security Startup Promptfoo Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Netskope has appointed Joseph Welsh as leader of US public sector sales. New England energy company Eversource Energy has appointed Michael Tetto as CISO. Col. Becky Beers has been named Acting Air Force CISO following the departure of Aaron Bishop. More People On The Move Expert Insights How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email