JFrog Security Research disclosed two sandbox escape vulnerabilities in n8n that allow authenticated users to achieve remote code execution on the underlying server. The flaws demonstrate the difficulty of safely sandboxing dynamic languages like JavaScript and Python.
Vulnerability overview
| CVE | CVSS | Component | Root Cause |
|---|---|---|---|
| CVE-2026-1470 | 9.9 (Critical) | Expression evaluation engine | JavaScript with statement bypass |
| CVE-2026-0863 | 8.5 (High) | Python Code Node | AttributeError.obj + format strings |
Both require authentication (ability to create/modify workflows), but non-admin users can exploit them to gain infrastructure-level control.
Why n8n vulnerabilities are dangerous
n8n is a workflow automation platform that connects to critical business systems:
| Connected system | Risk if n8n compromised |
|---|---|
| LLM APIs | AI system access, prompt injection |
| Sales data | Customer information exposure |
| Internal IAM | Identity compromise |
| CI/CD pipelines | Supply chain attacks |
| Databases | Data theft, manipulation |
| Cloud services | AWS/Azure/GCP access |
“Compromising n8n doesn’t just give attackers one server, it potentially gives them access to everything n8n connects to.”
CVE-2026-1470: JavaScript sandbox escape
Severity: CVSS 9.9 Critical
n8n’s expression engine evaluates user-provided JavaScript in a sandboxed environment. The sandbox uses AST (Abstract Syntax Tree) parsing to block dangerous constructs.
The bypass mechanism
| Step | Action |
|---|---|
| 1 | Attacker creates workflow with malicious expression |
| 2 | Expression uses deprecated JavaScript with statement |
| 3 | AST parser still supports with (deprecated but valid) |
| 4 | Standalone constructor identifier bypasses sanitization |
| 5 | Identifier resolves to Function constructor |
| 6 | Arbitrary JavaScript executes on n8n’s main node |
| 7 | Attacker gains full Node.js runtime access |
| 8 | System commands execute on host |
Technical details
| Aspect | Details |
|---|---|
| Vulnerability type | Eval injection |
| Bypass technique | with statement AST handling |
| Target | Expression sandbox |
| Result | Full Node.js runtime access |
| Impact | Arbitrary code execution on host |
The deprecated with statement
The JavaScript with statement was deprecated in ES5 strict mode (2009) but remains valid syntax that AST parsers must handle. The n8n sandbox validates expressions using AST parsing, but the with statement creates a scope chain that allows identifier resolution to bypass sanitization:
| Problem | Impact |
|---|---|
with still parsed by AST | Deprecated ≠ removed |
| Standalone identifier allowed | Resolves through scope chain |
Identifier reaches Function | Constructor access achieved |
| Arbitrary code execution | Full Node.js runtime control |
This is a classic example of deprecated language features creating security gaps—the feature is “discouraged” but still functional, and security tools must account for it.
Why it’s rated Critical despite requiring authentication
n8n deployments typically grant workflow creation permissions to multiple users. The vulnerability allows any user with basic access to escalate to infrastructure-level control—a significant privilege boundary violation.
| User role | Expected access | Actual access with CVE-2026-1470 |
|---|---|---|
| Workflow creator | Create automations | Full server control |
| Non-admin user | Limited operations | Infrastructure compromise |
| External integrator | API access | Host system access |
CVE-2026-0863: Python sandbox escape
Severity: CVSS 8.5 High
n8n’s Python Code Node runs in a restricted environment that blocks dangerous builtins and imports. The bypass combines two Python behaviors:
Attack technique
| Phase | Technique |
|---|---|
| 1 | Format string object introspection |
| 2 | Python 3.10+ AttributeError.obj behavior |
| 3 | Regain access to restricted builtins/imports |
| 4 | Execute OS commands |
Format string introspection
Python format strings can access object attributes. By crafting specific format strings, attackers can introspect Python’s internal object model.
Python 3.10+ AttributeError.obj
When an AttributeError is raised, Python 3.10+ includes a reference to the object that caused the error in the obj attribute. This provides a path back to restricted builtins and imports.
The result: Attackers regain access to blocked functionality and execute arbitrary OS commands.
Python 3.10+ behavior change
The AttributeError.obj attribute was added in Python 3.10 (October 2021) for improved error messages. This well-intentioned change inadvertently created a security issue:
| Python version | AttributeError behavior |
|---|---|
| < 3.10 | No object reference in exception |
| ≥ 3.10 | AttributeError.obj contains reference to object |
When combined with format string introspection, this allows attackers to “climb back” through Python’s object model to access restricted builtins even after they’ve been explicitly blocked.
Deployment mode impact
n8n can run Python in two modes:
| Mode | Python Execution | CVE-2026-0863 Impact |
|---|---|---|
| External (recommended) | Separate Docker sidecar | Attacker contained in sidecar; additional escape needed |
| Internal | Subprocess on main node | Full n8n instance compromise |
Organizations running n8n in “Internal” mode face higher risk. The “External” configuration provides defense in depth through containerization.
Deployment mode comparison
| Factor | Internal mode | External mode |
|---|---|---|
| Python execution | Main node subprocess | Docker sidecar |
| Compromise scope | Full n8n instance | Container only |
| Additional escape needed | No | Yes (container escape) |
| Defense in depth | None | Container isolation |
| Recommended | No | Yes |
Patched versions
| CVE | Fixed Versions |
|---|---|
| CVE-2026-1470 | 1.123.17, 2.4.5, 2.5.1 |
| CVE-2026-0863 | 1.123.14, 2.3.5, 2.4.2 |
The n8n cloud platform has been patched. Only self-hosted instances running vulnerable versions are affected.
Relationship to CVE-2026-21858
These vulnerabilities are separate from CVE-2026-21858 (Ni8mare), the CVSS 10.0 unauthenticated RCE patched in January 2026.
n8n vulnerability summary (2026)
| CVE | Type | Auth Required | CVSS | Fixed In |
|---|---|---|---|---|
| CVE-2026-21858 | Content-Type confusion | No | 10.0 | 1.121.0 |
| CVE-2026-1470 | JavaScript sandbox escape | Yes | 9.9 | 1.123.17+ |
| CVE-2026-0863 | Python sandbox escape | Yes | 8.5 | 1.123.14+ |
Organizations running n8n should verify they’ve addressed all three CVEs.
Recommendations
Immediate actions
| Priority | Action |
|---|---|
| Critical | Update to latest n8n version (addresses all known vulnerabilities) |
| High | Audit workflow creators—review who has permission to create/modify workflows |
| High | Use External Python mode—provides container isolation |
| High | Review existing workflows for suspicious expression or Python code |
Defense in depth
| Control | Purpose |
|---|---|
| Principle of least privilege | Limit workflow creation to trusted users |
| Network segmentation | Isolate n8n from sensitive systems |
| Container hardening | Additional restrictions on Python sidecar |
| Monitoring | Alert on unusual workflow executions |
| Credential rotation | Limit exposure of connected service credentials |
Architecture considerations
| Consideration | Recommendation |
|---|---|
| Self-hosted vs cloud | Evaluate n8n cloud for managed security |
| Python execution mode | Always use External (Docker sidecar) mode |
| Workflow permissions | Restrict to verified, trusted users |
| Connected credentials | Use service accounts with minimal permissions |
| Network exposure | Never expose n8n to internet |
Detection guidance
| Indicator | Meaning |
|---|---|
| Unusual workflow expressions | Possible exploitation attempt |
with statement in expressions | CVE-2026-1470 exploitation |
| Format string manipulation in Python | CVE-2026-0863 exploitation |
| Unexpected child processes from n8n | Post-exploitation activity |
| Outbound connections from n8n host | C2 or data exfiltration |
JFrog’s assessment
“These vulnerabilities highlight how difficult it is to safely sandbox dynamic, high-level languages such as JavaScript and Python. Even with multiple validation layers, deny lists, and AST-based controls in place, subtle language features and runtime behaviors can be leveraged to bypass security assumptions.”
Sandboxing challenges
| Language feature | Security assumption | Bypass reality |
|---|---|---|
Deprecated with statement | Not commonly used | Still parsed by AST |
| Format strings | String formatting only | Object introspection possible |
| AttributeError | Error handling | Contains object references |
| Builtins blocking | Prevents dangerous functions | Alternative paths exist |
Context
n8n has now had three critical/high-severity vulnerabilities disclosed in early 2026. The platform’s role in enterprise automation—connecting to databases, cloud services, CI/CD pipelines, and business applications—makes these vulnerabilities particularly impactful.
Organizations should:
| Priority | Action |
|---|---|
| Critical | Maintain aggressive patching cycles for n8n |
| High | Treat n8n as a high-value target requiring enterprise-grade security |
| High | Consider whether self-hosted deployment is appropriate given patching burden |
| Medium | Evaluate whether n8n cloud platform’s managed security is preferable |
| Ongoing | Monitor JFrog and n8n security advisories |
The difficulty of safely sandboxing dynamic languages means that similar vulnerabilities will likely continue to emerge. Defense in depth—container isolation, least privilege, network segmentation—provides essential protection when sandbox bypasses occur.
Current exploitation status
| Factor | Status |
|---|---|
| Active exploitation | Not reported as of disclosure |
| Public PoC | Technical details published by JFrog |
| Weaponized exploit | Not publicly available |
| Cloud platform | Already patched |
| Self-hosted | Requires manual update |
While no active exploitation has been reported, the detailed technical writeup from JFrog provides sufficient information for skilled attackers to develop working exploits. Organizations running self-hosted n8n should patch immediately.
Comparison with CVE-2026-21858 (Ni8mare)
| Attribute | CVE-2026-21858 | CVE-2026-1470 | CVE-2026-0863 |
|---|---|---|---|
| Name | Ni8mare | N/A | N/A |
| CVSS | 10.0 | 9.9 | 8.5 |
| Auth required | No | Yes | Yes |
| Component | Content-Type handling | Expression sandbox | Python sandbox |
| Fixed in | 1.121.0 | 1.123.17+ | 1.123.14+ |
The January 2026 Ni8mare vulnerability (CVE-2026-21858) was more severe because it required no authentication. However, CVE-2026-1470 and CVE-2026-0863 are still critical because they allow privilege escalation from any authenticated user to infrastructure control.