Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

N8n sandbox escape flaws (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 25
1 unique sources, 1 articles

Summary

Hide ▲

Two maximum-severity sandbox-escape flaws in n8n expose self-hosted and cloud instances to complete server takeover and credential theft. An authenticated user can exploit the weaknesses to steal API keys, cloud provider keys, database passwords and OAuth tokens. n8n shipped version 2.4.0 in January 2026 to fix both issues after the first patch was bypassed within 24 hours.

Related Happenings

Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication

Technical Analysis
First: 21.05.2026 23:07 Last: 21.05.2026 23:07 Sources 1

About this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...

Open Happening

SAP Commerce Cloud missing authentication check remote code execution flaw (CVE-2026-34263)

Vulnerability
First: 12.05.2026 14:04 Last: 12.05.2026 14:04 Sources 1

About this happening: **CVE-2026-34263** is a critical **SAP Commerce Cloud** flaw that can let **unauthenticated attackers** execute code on vulnerable servers. The weakness is a **missing authenticat...

Open Happening

LiteLLM pre-auth SQL injection (CVE-2026-42208)

Vulnerability
First: 29.04.2026 00:07 Last: 29.04.2026 00:07 Sources 1

About this happening: **LiteLLM**'s **CVE-2026-42208** pre-auth SQL injection is being actively exploited, putting proxy databases and stored secrets at risk. The flaw can be triggered without authenti...

Latest development: 29.04.2026 08:34

BerriAI released `1.83.7-stable` on April 19, 2026 to address `CVE-2026-42208`, a critical `SQL injection` in LiteLLM proxy API key checks, and recommended setting `disable_error_logs: true` as a workaround when immediate upgrading is not possible.

Open Happening

N8n actively exploited remote code execution vulnerability (CVE-2025-68613)

Vulnerability
First: 11.03.2026 20:21 Last: 11.03.2026 20:21 Sources 1

About this happening: An **actively exploited** **n8n** remote code execution flaw, **CVE-2025-68613**, lets authenticated attackers run arbitrary code on vulnerable servers and can lead to full compro...

Latest development: 12.03.2026 07:18

CISA adds CVE-2025-68613, an n8n expression-injection flaw with CVSS 9.9 that can lead to remote code execution, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation; CISA says it is the first n8n vulnerability placed in KEV.

Open Happening

N8n expression sandbox escape and Form node double-evaluation flaws (multiple vulnerabilities)

Vulnerability
First: 11.03.2026 16:51 Last: 11.03.2026 16:51 Sources 1

About this happening: **n8n** patched two critical flaws affecting **self-hosted and cloud deployments**, including an **expression sandbox escape** and an **unauthenticated Form node double-evaluation...

Open Happening

Timeline

  1. 04.02.2026 15:00 2 articles · 3mo ago

    N8n sandbox escape flaws (multiple vulnerabilities)

    Initial Disclosure

    Researchers reported **two maximum-severity sandbox escapes** in **n8n** that could let an authenticated user take over servers and steal stored secrets. A fix in **version 2.4.0** followed after the first patch was bypassed within **24 hours**.

    Show sources
    Open in new tab