N8n expression sandbox escape and Form node double-evaluation flaws (multiple vulnerabilities)
Vulnerability
Summary
Hide ▲
Show ▼
n8n patched two critical flaws affecting self-hosted and cloud deployments, including an expression sandbox escape and an unauthenticated Form node double-evaluation bug that could enable remote code execution and stored-credential decryption. The vulnerabilities are tracked as CVE-2026-27577 and CVE-2026-27493, with fixes released in 1.123.22, 2.9.3, and 2.10.1. The risk is significant because a successful chain could expose N8N_ENCRYPTION_KEY and let an attacker decrypt credentials such as AWS keys, database passwords, OAuth tokens, and API keys. Temporary mitigations include restricting workflow editing to trusted users and disabling the affected form-related nodes where needed.
Related Happenings
CISA orders FCEB agencies to patch n8n by March 25, 2026
Public Sector Action
First: 12.03.2026 07:18
Last: 12.03.2026 07:18
Sources 1
About this happening:
CISA ordered **FCEB agencies** to patch their **n8n** instances by **March 25, 2026**, turning a vulnerable workflow-automation platform into a federal remediation deadline. The m...
CISA orders FCEB agencies to patch n8n by March 25, 2026
Public Sector ActionAbout this happening: CISA ordered **FCEB agencies** to patch their **n8n** instances by **March 25, 2026**, turning a vulnerable workflow-automation platform into a federal remediation deadline. The m...
N8n actively exploited remote code execution vulnerability (CVE-2025-68613)
Vulnerability
First: 11.03.2026 20:21
Last: 11.03.2026 20:21
Sources 1
About this happening:
An **actively exploited** **n8n** remote code execution flaw, **CVE-2025-68613**, lets authenticated attackers run arbitrary code on vulnerable servers and can lead to full compro...
N8n actively exploited remote code execution vulnerability (CVE-2025-68613)
VulnerabilityAbout this happening: An **actively exploited** **n8n** remote code execution flaw, **CVE-2025-68613**, lets authenticated attackers run arbitrary code on vulnerable servers and can lead to full compro...
Latest development: 12.03.2026 07:18
CISA adds CVE-2025-68613, an n8n expression-injection flaw with CVSS 9.9 that can lead to remote code execution, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation; CISA says it is the first n8n vulnerability placed in KEV.
N8n sandbox escape flaws (multiple vulnerabilities)
Vulnerability
First: 04.02.2026 15:00
Last: 04.02.2026 15:00
Sources 1
About this happening:
Two **maximum-severity sandbox-escape flaws** in **n8n** expose **self-hosted and cloud instances** to **complete server takeover** and **credential theft**. An **authenticated us...
N8n sandbox escape flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: Two **maximum-severity sandbox-escape flaws** in **n8n** expose **self-hosted and cloud instances** to **complete server takeover** and **credential theft**. An **authenticated us...
Timeline
-
11.03.2026 16:51 2 articles · 2mo ago
Pillar Security discloses n8n CVE-2026-27577 and CVE-2026-27493
Initial DisclosurePillar Security disclosed two now-patched n8n vulnerabilities, CVE-2026-27577 and CVE-2026-27493, affecting self-hosted and cloud deployments and enabling arbitrary command execution or remote code execution through an expression sandbox escape and a public Form node double-evaluation bug. n8n said fixed versions are 1.123.22, 2.9.3, and 2.10.1, and recommended temporary mitigations such as restricting workflow creation and editing to trusted users, hardening host privileges, disabling n8n-nodes-base.form and n8n-nodes-base.formTrigger, and using N8N_RUNNERS_MODE=external or disabling n8n-nodes-base.merge for the related CVE-2026-27495 and CVE-2026-27497 issues.
Show sources
- Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials — thehackernews.com — 11.03.2026 16:51
- Critical Zero-Click Flaw in n8n Allows Full Server Compromise — www.infosecurity-magazine.com — 12.03.2026 17:28