CVE-2026-27495
📋 TL;DR
This vulnerability in n8n allows authenticated users with workflow creation/modification permissions to escape the JavaScript Task Runner sandbox and execute arbitrary code. In default configurations with internal Task Runners, this can lead to full host compromise. All n8n instances with Task Runners enabled are affected.
💻 Affected Systems
- n8n
📦 What is this software?
N8n by N8n
N8n by N8n
N8n by N8n
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the n8n host system when using internal Task Runners (default mode), allowing attacker to execute arbitrary commands, access sensitive data, and pivot to other systems.
Likely Case
Authenticated attackers with workflow permissions gain code execution within the Task Runner environment, potentially accessing other workflows and sensitive data processed by n8n.
If Mitigated
With external Task Runners and strict permission controls, impact is limited to the Task Runner environment rather than the main n8n host.
🎯 Exploit Status
Requires authenticated user with workflow creation/modification permissions. Exploitation involves crafting malicious JavaScript in workflows.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.1, 2.9.3, or 1.123.22
Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23
Restart Required: Yes
Instructions:
1. Backup your n8n instance and workflows. 2. Update n8n to version 2.10.1, 2.9.3, or 1.123.22 using your package manager or deployment method. 3. Restart the n8n service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Use External Task Runners
allSwitch from internal to external Task Runner mode to limit blast radius
export N8N_RUNNERS_MODE=external
Restrict Workflow Permissions
allLimit workflow creation and editing to fully trusted users only
🧯 If You Can't Patch
- Disable Task Runners entirely by setting N8N_RUNNERS_ENABLED=false
- Implement strict network segmentation to isolate n8n instances from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check n8n version and Task Runner configuration. If version is below 2.10.1, 2.9.3, or 1.123.22 AND N8N_RUNNERS_ENABLED=true, the system is vulnerable.Check Version:
n8n --version or check package.json version in installation directoryVerify Fix Applied:
Verify n8n version is 2.10.1, 2.9.3, or 1.123.22 or higher using the version check command.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution patterns in workflow logs
- Multiple workflow modifications by single user in short timeframe
- Error logs related to Task Runner sandbox violations
Network Indicators:
- Unexpected outbound connections from n8n host
- Network traffic to/from Task Runner ports (default 5678)
SIEM Query:
source="n8n" AND ("workflow modified" OR "task runner" OR "sandbox") | stats count by user, workflow_id