cbcvebase.
CVE-2026-1470
published 2026-01-27

CVE-2026-1470: n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users…

PriorityP278critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
18.07%
96.8th percentile
n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.

Affected

6 ranges
VendorProductVersion rangeFixed in
n8nn8n< 1.123.171.123.17
n8nn8n
n8nn8n>= 0 < 1.123.171.123.17
n8nn8n>= 2.0.0 < 2.4.52.4.5
n8nn8n>= 2.0.0 < 2.4.52.4.5
n8nn8n>= 2.5.0 < 2.5.12.5.1

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2026-1470 exploits the JavaScript `with` statement to cause a standalone constructor identifier to bypass AST sanitization and resolve to `Function`, enabling arbitrary JavaScript execution in n8n's expression evaluation system.
  • Exploitation requires an authenticated user to create or modify a workflow containing a malicious expression; monitor workflow creation/modification events by non-admin users for suspicious expression payloads involving `with` statements or `Function` constructor references.
  • Arbitrary code executes with the privileges of the n8n process on the main node; alert on unexpected child processes or system-level operations spawned by the n8n process.
  • Only self-hosted n8n instances are affected; prioritize detection and patching for self-hosted deployments running versions prior to 1.123.17, 2.4.5, or 2.5.1.
  • ·CVE-2026-1470 is fixed in n8n versions 1.123.17, 2.4.5, and 2.5.1; instances running older versions remain vulnerable.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa8.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.