CVE-2026-27498 – This vulnerability allows authenticated users w... (How to Fix)

Q: What is the severity of CVE-2026-27498?

CVE-2026-27498 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users with workflow creation/modification permissions in n8n to achieve remote code execution by chaining file operations with git commands. Attackers can write malicious configuration files and trigger git operations to execute arbitrary shell commands on the n8n host. All n8n installations prior to versions 2.2.0 and 1.123.8 are affected.

📋 TL;DR

This vulnerability allows authenticated users with workflow creation/modification permissions in n8n to achieve remote code execution by chaining file operations with git commands. Attackers can write malicious configuration files and trigger git operations to execute arbitrary shell commands on the n8n host. All n8n installations prior to versions 2.2.0 and 1.123.8 are affected.

💻 Affected Systems

Products:

n8n

Versions: All versions prior to 2.2.0 and 1.123.8

Operating Systems: All platforms running n8n

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with permission to create or modify workflows. The Read/Write Files from Disk node must be available.

📦 What is this software?

N8n by N8n

View all CVEs affecting N8n →

N8n by N8n

View all CVEs affecting N8n →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the n8n host allowing attackers to execute arbitrary commands, access sensitive data, pivot to other systems, and establish persistent access.

🟠

Likely Case

Authenticated attackers with workflow permissions gain shell access to the n8n host, potentially accessing sensitive workflow data and system resources.

🟢

If Mitigated

With proper permission controls and node restrictions, risk is limited to trusted users only, though insider threat remains possible.

🌐 Internet-Facing: HIGH if n8n is internet-accessible and has authenticated users with workflow permissions.

🏢 Internal Only: MEDIUM as it requires authenticated access and specific permissions, but could be exploited by malicious insiders or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access with specific permissions and knowledge of workflow chaining techniques. The advisory provides technical details but no public exploit code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.0 or 1.123.8

Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-x2mw-7j39-93xq

Restart Required: Yes

Instructions:

1. Backup your n8n instance and workflows. 2. Stop the n8n service. 3. Update n8n to version 2.2.0 or 1.123.8 using your package manager or deployment method. 4. Restart the n8n service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable Read/Write Files from Disk Node

all

Prevents exploitation by removing the vulnerable node from available workflow nodes

export NODES_EXCLUDE=n8n-nodes-base.readWriteFile

🧯 If You Can't Patch

Limit workflow creation and editing permissions to fully trusted users only
Implement strict access controls and monitor user activity on n8n instances

🔍 How to Verify

Check if Vulnerable:

Check n8n version via web interface or API. If version is below 2.2.0 (for v2) or 1.123.8 (for v1), the system is vulnerable.

Check Version:

Check n8n web interface settings or use: curl -X GET 'http://n8n-host:5678/rest/version'

Verify Fix Applied:

Confirm n8n version is 2.2.0 or higher (for v2) or 1.123.8 or higher (for v1). Test that the Read/Write Files from Disk node cannot be used for malicious git operations.

📡 Detection & Monitoring

Log Indicators:

Unusual git operations triggered via n8n workflows
Multiple file write operations followed by git commands
Workflow executions with suspicious file paths

Network Indicators:

Unexpected outbound connections from n8n host following workflow execution

SIEM Query:

source="n8n" AND ("git" OR "writeFile" OR "readWriteFile") AND status="success"

📊 Metadata

CVE ID: CVE-2026-27498

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: February 25, 2026

Last Updated: March 4, 2026

🔗 References

https://github.com/n8n-io/n8n/commit/97365caf253978ba8e46d7bc53fa7ac3b6f67b32 Patch
https://github.com/n8n-io/n8n/commit/e22acaab3dcb2004e5fe0bf9ef2db975bde61866 Patch
https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.8 Release Notes
https://github.com/n8n-io/n8n/releases/tag/n8n@2.2.0 Release Notes
https://github.com/n8n-io/n8n/security/advisories/GHSA-x2mw-7j39-93xq Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27498, you might also want to check these: