The n8n platform, a widely adopted open source software for orchestrating enterprise automation and workflows, was recently at the center of a new security alert: two vulnerabilities emerged in its sandbox that can lead to Remote Code Execution (RCE) on vulnerable instances.
The first flaw, identified as CVE-2026-1470 and classified with a score of 9.9 (Critical) , affects the expression evaluation mechanism in n8n.
Under normal conditions, the platform runs JavaScript code within an isolated sandbox to prevent users from impacting the runtime. However, according to research published by JFrog Security Research , it is possible to circumvent these protections through loopholes in the AST sanitization logic.
By doing so, an authenticated user can inject specially crafted JavaScript into workflows and achieve arbitrary code execution on the instance’s master node.
The second vulnerability, CVE-2026-0863 with a score of 8.5 (High) , affects Python code execution in the task runner component.
Here too, JFrog’s research has shown that it is possible to bypass the restrictions imposed on the Python sandbox by exploiting specific string formatting patterns and exception handling.
In practice, a user with basic credentials can execute arbitrary Python code on the underlying operating system, especially if the instance is in “Internal execution mode”.
Both flaws are exploitable if a user is already authenticated and has the ability to create or modify workflows.
The real risk is that, once the sandboxes are bypassed, complete control of the n8n instance could be achieved, with potential access to sensitive data, credentials, environment variables and even execution of operational-level system commands.
These issues apply to both n8n Cloud and self-hosted installations that have not been updated with the patch releases.
JFrog recommends updating n8n to the specific versions that address these vulnerabilities:
These findings come as workflow platforms are increasingly being integrated with critical business systems and external APIs.
A compromised instance doesn’t just mean a single compromised service, but possible access to multiple connected systems , making patching and a review of access policies a priority.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
