CVE-2026-1470
📋 TL;DR
This critical vulnerability in n8n's workflow Expression evaluation system allows authenticated users to execute arbitrary code on the server. Attackers can achieve full system compromise by exploiting insufficient isolation between user-supplied expressions and the underlying runtime. All n8n instances with authenticated users are affected.
💻 Affected Systems
- n8n
📦 What is this software?
N8n by N8n
N8n by N8n
N8n by N8n
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining root/system-level privileges, data exfiltration, complete workflow manipulation, and persistent backdoor installation.
Likely Case
Unauthorized access to sensitive workflow data, credential theft from n8n's database, and lateral movement within the network.
If Mitigated
Limited to authenticated user compromise if network segmentation and least privilege are properly implemented.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Public research demonstrates practical exploitation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions including commit aa4d1e5825829182afa0ad5b81f602638f55fa04
Vendor Advisory: https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04
Restart Required: Yes
Instructions:
1. Update n8n to the latest version. 2. Restart the n8n service. 3. Verify the commit hash includes aa4d1e5825829182afa0ad5b81f602638f55fa04.
🔧 Temporary Workarounds
Disable workflow expression functionality
allTemporarily disable expression evaluation in workflows until patching is possible
Restrict authenticated user access
allLimit workflow configuration to trusted administrators only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate n8n instances from critical systems
- Apply principle of least privilege to n8n service account and restrict file system permissions
🔍 How to Verify
Check if Vulnerable:
Check if n8n version predates commit aa4d1e5825829182afa0ad5b81f602638f55fa04. Review git log or version metadata.Check Version:
n8n --version or check package.json versionVerify Fix Applied:
Confirm current version includes commit aa4d1e5825829182afa0ad5b81f602638f55fa04 in the git history.📡 Detection & Monitoring
Log Indicators:
- Unusual expression evaluation patterns
- Suspicious workflow modifications
- Unexpected process spawns from n8n
Network Indicators:
- Outbound connections from n8n to unexpected destinations
- Command and control traffic patterns
SIEM Query:
process_name:n8n AND (event_type:execution OR cmdline:*eval* OR cmdline:*exec*)