Jai Vijayan, Contributing Writer January 29, 2026 6 Min Read Source: Azulblue via Shutterstock For the second time in less than a month, researchers have uncovered critical vulnerabilities in a key AI workflow automation system that many organizations have begun using to integrate LLMs into their business processes. N8n is a popular, low-code platform that lets organizations automate workflows — such as those behind sales transactions, HR onboarding processes and customer support ticketing—by connecting applications, services, and custom logic. As such, any compromise serves up a serious helping of corporate risk. "N8n is a hub. It holds credentials for every system it connects to," explains Michael Bell, CEO and co-founder of Suzu Labs. "A compromised n8n instance gives an attacker the keys to your customer relationship management (CRM) platform, databases, cloud storage, communication tools, and whatever else you've integrated." The two latest vulnerabilities in n8n affect the platform's sandbox mechanism, and enable attackers to bypass its security controls and hijack an organization's entire n8n service. Researchers at JFrog who discovered the vulnerabilities assigned a critical severity score of 9.9 for one of them ( CVE-2026-1470), and a high severity score of 8.5 to the second ( CVE-2026-0863) . n8n has patched both vulnerabilities, so users should update immediately. All n8n versions prior to the newly patched 1.123.17, 2.4.5 or 2.5.1 are vulnerable to CVE-2026-1470 while CVE-2026-0863 affects versions earlier than the newly patched 1.123.14, 2.3.5, or 2.4.2. The blast radius for any cyberattack campaign targeting the bugs is potentially broad: over the past two years, many organizations have begun using n8n to integrate large language models (LLMs) into their business workflows. Market research firm Sacra last October pegged n8n as having some 3,000 enterprise customers and more than 230,000 active users. The platform has also surpassed 100 million pulls on Docker ; and the company itself has raised a total of $240 million in funding to date, including a $180 million Series C round in October 2025. At that time, n8n reported a six-fold increase in customers in 2025 alone. Full Corporate Takeover via Workflow Automation "Attackers that are able to create n8n workflows can exploit these vulnerabilities and easily achieve full remote code execution (RCE) on the host running the n8n service," JFrog security researcher Nathan Nehorai said in a blog post earlier this week. "The vulnerabilities were applicable on n8n's cloud platform and are still applicable on any self-hosted deployment of n8n, which is running an unpatched version." The more serious of the two flaws that JFrog discovered, CVE-2026-1470, stems from how n8n handles user-supplied inputinside workflows. The vulnerability allowed JFrog researchers to use an old, deprecated JavaScript feature to essentially make malicious code look safe during inspection and then have it behave maliciously during run time and bypass n8n protections in the process. The second flaw, CVE-2026-0863, affects the part of n8n that lets users run Python code, but only when that code runs directly on the server instead of inside a container. The researchers found they could leverage the flaw to send error messages to functions that are ordinarily supposed to be off-limits and eventually run any command of their choice on an affected system. An attacker exploiting these vulnerabilities could gain complete control over the n8n platform, execute arbitrary code on the underlying server, and access credentials, API keys, and other sensitive data — and potentially pivot to other connected systems in the effected environment. "For platforms like n8n, which are frequently deployed in sensitive environments and handle privileged workflows, these issues underscore the importance of minimizing execution privileges and avoiding reliance on static validation alone," Nehorai said. All n8n versions prior to 1.123.17, 2.4.5 or 2.5.1 are vulnerable to CVE-2026-1470 while CVE-2026-0863 affects versions earlier than 1.123.14, 2.3.5, or 2.4.2. More Security Risk, Less Than a Month After "Ni8mare" The two vulnerabilities that JFrog reported come just a few weeks after n8n disclosed CVE-2026-21858 , a critical unauthenticated RCE vulnerability that allows attackers to completely take over locally deployed instances of n8n. That bug, dubbed " Ni8mare " by researchers at Cyera who discovered it, affected an estimated 100,000 servers worldwide but required a combination of prerequisites for an attacker to be able to exploit it. n lieu of any other vendor directives, organizations currently using n8n services should follow similar guidance offered in the wake of Ni8mare in early January: Disconnect n8n from the Internet; require strong authentication; minimize execution privileges; and avoid reliance on static validation. Bell advocates that organizations keep LLM credentials separate from other system credentials to limit consequences in the event of breach. Also, implement input validation on any workflow that accepts external data before passing it to an LLM, he says. "Log everything. Workflow executions, credential access, configuration changes. When something goes wrong, you need the forensic trail to understand what happened and what data was exposed." Noelle Murata, senior security engineer at Xcape, recommends that organizations deploy workflows in external Docker containers rather than running code directly on main nodes. "This architecture requires attackers to perform additional container escapes, significantly complicating breaches," Murata says.Organizations also need to implement layered defense that go beyond static validation, which can be bypassed through language edge cases, as is the case with one the two vulnerabilities that JFrog discovered. "Use minimal execution privileges and continuously reassess sandbox security as programming languages evolve," Murata says. "Address language-specific vulnerabilities that standard sandboxing misses. JavaScript's deprecated features and Python's format strings can enable attackers to bypass restrictions and access internal objects." Honing security defenses will be critical as platforms like n8n gain in popularity; the company is among many in the workflow automation landscape that have begun integrating AI-native features into their platform in response to the rapid adoption of LLMs and generative AI technologies in enterprise organizations. Rivals in the emerging AI-specific category include LangChain, Gumloop, StackAI and Lindy. Adoption is rapidly growing in part because they allow organizations to connect LLMs to their existing systems without having to write custom integration code for every use case, says Suzu Labs' Bell: "n8n gives technical teams a visual workflow builder with 400+ pre-built connectors. You can spin up an AI agent that queries your CRM, checks inventory, and sends a Slack message without writing a deployment pipeline." The platform's self-hosting option is another factor, because enterprises worried about sending sensitive data through third-party AI services can run n8n on their own infrastructure and keep everything internal. The flip side of corporate adoption though is that workflow automation platforms have become a high-value target for attackers. "Low-code and no-code tools move complexity from developers to platform vendors," Bell says. "The security boundary between user-provided workflow logic and the underlying platform is hard to enforce, especially when that logic includes arbitrary code execution." Such issues also highlight the broader security risks organizations face as they rush to integrate LLMs into their business workflows and processes. Concerns include prompt injection attacks , model manipulation and poisoning attacks, and software vulnerabilities like the n8n bugs. The growing use of emerging standards like the Model Context Protocol (MCP) to connect LLMs to external data sources and tools are another concern: researchers have unearthed vulnerabilities and dangerous misconfigurations in MCP implementations that allow attackers to take over systems, steal data, and poison models. About the Author Jai Vijayan, Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. See more from Jai Vijayan, Contributing Writer