"N8n uses an AST-based sandbox to validate JavaScript input and neutralize potentially dangerous nodes before execution. Several validation layers have been implemented to mitigate known JavaScript sandbox escape vectors. However, because the AST parser still supports a deprecated statement, an attacker can supply an identifier that allows them to achieve arbitrary code execution in n8n's main node. This allows an attacker to completely take over the n8n instance, JFrog says."
""If the n8n instance is running in the 'Internal' configuration, Python code is executed as a subprocess on the main node itself, allowing a successful exploit to compromise the entire n8n instance," JFrog explains. The cybersecurity firm discovered that it was possible to abuse gaps in AST-based sandboxes to bypass the implemented protections and achieve remote code execution (RCE) to completely escape the sandbox."
Two high‑severity vulnerabilities in n8n enable remote arbitrary code execution by abusing weaknesses in AST sanitization. CVE-2026-1470 (CVSS 9.9) targets the JavaScript expression evaluation engine, where a deprecated AST statement allows an attacker-supplied identifier to execute arbitrary code on the main node. CVE-2026-0863 (CVSS 8.5) affects Python code execution in the Code node when running in 'Internal' configuration, executing Python as a subprocess on the main node and enabling full compromise. Multiple validation layers and deny lists failed to prevent sandbox escape, illustrating the challenge of safely sandboxing dynamic languages.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]