9.9

CVE-2026-1470

Exploit

Authenticated users can bypass the Expression sandbox mechanism to achieve full remote code execution on n8n’s main node.

n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime.

An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
N8nN8n SwPlatformnode.js Version < 1.123.17
N8nN8n SwPlatformnode.js Version >= 2.0.0 < 2.4.5
N8nN8n Version2.5.0 SwPlatformnode.js
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 18.07% 0.968
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
reefs@jfrog.com 9.9 3.1 6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04
Patch
https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/
Patch
Third Party Advisory
Exploit