JavaScript Articles

New n8n Sandbox Escape Vulnerabilities Allow Remote Code Execution

JFrog discovered two sandbox escape flaws in n8n: CVE-2026-1470 (CVSS 9.9) bypasses JavaScript sandboxing via deprecated 'with' statement, and CVE-2026-0863 (CVSS 8.5) escapes Python restrictions via AttributeError.obj.

February 2, 2026 n8n vulnerability RCE