{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27577", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T17:40:28.449Z", "datePublished": "2026-02-25T22:19:44.806Z", "dateUpdated": "2026-02-26T20:14:30.327Z"}, "containers": {"cna": {"title": "n8n: Expression Sandbox Escape Leads to RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr"}, {"name": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp", "tags": ["x_refsource_MISC"], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp"}, {"name": "https://github.com/n8n-io/n8n/commit/1479aab2d32fe0ee087f82b9038b1035c98be2f6", "tags": ["x_refsource_MISC"], "url": "https://github.com/n8n-io/n8n/commit/1479aab2d32fe0ee087f82b9038b1035c98be2f6"}, {"name": "https://github.com/n8n-io/n8n/commit/9e5212ecbc5d2d4e6f340b636a5e84be6369882e", "tags": ["x_refsource_MISC"], "url": "https://github.com/n8n-io/n8n/commit/9e5212ecbc5d2d4e6f340b636a5e84be6369882e"}, {"name": "https://docs.n8n.io/hosting/securing/overview", "tags": ["x_refsource_MISC"], "url": "https://docs.n8n.io/hosting/securing/overview"}], "affected": [{"vendor": "n8n-io", "product": "n8n", "versions": [{"version": "< 1.123.22", "status": "affected"}, {"version": ">= 2.0.0, < 2.9.3", "status": "affected"}, {"version": ">= 2.10.0, < 2.10.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T22:19:44.806Z"}, "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures."}], "source": {"advisory": "GHSA-vpcf-gvg4-6qwr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T20:14:18.668740Z", "id": "CVE-2026-27577", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T20:14:30.327Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "n8n: Expression Sandbox Escape Leads to RCE", "source": {"advisory": "GHSA-vpcf-gvg4-6qwr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n8n-io", "product": "n8n", "versions": [{"status": "affected", "version": "< 1.123.22"}, {"status": "affected", "version": ">= 2.0.0, < 2.9.3"}, {"status": "affected", "version": ">= 2.10.0, < 2.10.1"}]}], "references": [{"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr", "name": "https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp", "name": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/n8n-io/n8n/commit/1479aab2d32fe0ee087f82b9038b1035c98be2f6", "name": "https://github.com/n8n-io/n8n/commit/1479aab2d32fe0ee087f82b9038b1035c98be2f6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/n8n-io/n8n/commit/9e5212ecbc5d2d4e6f340b636a5e84be6369882e", "name": "https://github.com/n8n-io/n8n/commit/9e5212ecbc5d2d4e6f340b636a5e84be6369882e", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.n8n.io/hosting/securing/overview", "name": "https://docs.n8n.io/hosting/securing/overview", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T22:19:44.806Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27577", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-26T20:14:18.668740Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-02-26T20:14:23.788Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-27577", "state": "PUBLISHED", "dateUpdated": "2026-02-25T22:19:44.806Z", "dateReserved": "2026-02-20T17:40:28.449Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T22:19:44.806Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "77E36F68-2FDD-4771-B2DD-3F0A168E92E1", "versionEndExcluding": "1.123.22", "vulnerable": true}, {"criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "CDB18D4D-1D4C-422A-BE3E-0FF8FC9DDD82", "versionEndExcluding": "2.9.3", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C2CBC039-F880-4DB3-968B-2520126388E6", "versionEndExcluding": "2.10.1", "versionStartIncluding": "2.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures."}, {"lang": "es", "value": "n8n es una plataforma de automatizaci\u00f3n de flujos de trabajo de c\u00f3digo abierto. Antes de las versiones 2.10.1, 2.9.3 y 1.123.22, se han identificado y parcheado exploits adicionales en la evaluaci\u00f3n de expresiones de n8n tras CVE-2025-68613. Un usuario autenticado con permiso para crear o modificar flujos de trabajo podr\u00eda abusar de expresiones manipuladas en los par\u00e1metros del flujo de trabajo para desencadenar la ejecuci\u00f3n no intencionada de comandos del sistema en el host que ejecuta n8n. Los problemas han sido solucionados en las versiones de n8n 2.10.1, 2.9.3 y 1.123.22. Los usuarios deber\u00edan actualizar a una de estas versiones o posteriores para remediar todas las vulnerabilidades conocidas. Si la actualizaci\u00f3n no es posible de inmediato, los administradores deber\u00edan considerar las siguientes mitigaciones temporales. Limitar los permisos de creaci\u00f3n y edici\u00f3n de flujos de trabajo solo a usuarios de plena confianza, y/o desplegar n8n en un entorno endurecido con privilegios de sistema operativo y acceso a la red restringidos para reducir el impacto de una posible explotaci\u00f3n. Estas soluciones provisionales no remedian completamente el riesgo y solo deber\u00edan usarse como medidas de mitigaci\u00f3n a corto plazo."}], "id": "CVE-2026-27577", "lastModified": "2026-03-04T14:00:14.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T23:16:21.387", "references": [{"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://docs.n8n.io/hosting/securing/overview"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/n8n-io/n8n/commit/1479aab2d32fe0ee087f82b9038b1035c98be2f6"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/n8n-io/n8n/commit/9e5212ecbc5d2d4e6f340b636a5e84be6369882e"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}