CVE-2026-1470
published 2026-01-27CVE-2026-1470: n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users…
PriorityP278critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
18.07%
96.8th percentile
n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime.
An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| n8n | n8n | < 1.123.17 | 1.123.17 |
| n8n | n8n | — | — |
| n8n | n8n | >= 0 < 1.123.17 | 1.123.17 |
| n8n | n8n | >= 2.0.0 < 2.4.5 | 2.4.5 |
| n8n | n8n | >= 2.0.0 < 2.4.5 | 2.4.5 |
| n8n | n8n | >= 2.5.0 < 2.5.1 | 2.5.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2026-1470 exploits the JavaScript `with` statement to cause a standalone constructor identifier to bypass AST sanitization and resolve to `Function`, enabling arbitrary JavaScript execution in n8n's expression evaluation system. ↗
- →Exploitation requires an authenticated user to create or modify a workflow containing a malicious expression; monitor workflow creation/modification events by non-admin users for suspicious expression payloads involving `with` statements or `Function` constructor references. ↗
- →Arbitrary code executes with the privileges of the n8n process on the main node; alert on unexpected child processes or system-level operations spawned by the n8n process. ↗
- →Only self-hosted n8n instances are affected; prioritize detection and patching for self-hosted deployments running versions prior to 1.123.17, 2.4.5, or 2.5.1. ↗
- ·CVE-2026-1470 is fixed in n8n versions 1.123.17, 2.4.5, and 2.5.1; instances running older versions remain vulnerable. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa8.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution
osv·2026-01-27
CVE-2026-1470 [CRITICAL] n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution
n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution
n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime.
An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.
GHSA
n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution
ghsa·2026-01-27
CVE-2026-1470 [CRITICAL] CWE-95 n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution
n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution
n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime.
An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
New sandbox escape flaw exposes n8n instances to RCE attacks
blogs_bleepingcomputer·2026-01-28·CVSS 8.5
CVE-2026-1470 [HIGH] New sandbox escape flaw exposes n8n instances to RCE attacks
## New sandbox escape flaw exposes n8n instances to RCE attacks
## Bill Toulas
Two vulnerabilities in the n8n workflow automation platform could allow attackers to fully compromise affected instances, access sensitive data, and execute arbitrary code on the underlying host.
Identified as CVE-2026-1470 and CVE-2026-0863 , the vulnerabilities were discovered and reported by researchers at DevSecOps company JFrog.
Despite requiring authentication, CVE-2026-1470 received a critical severity score of 9.9 out of 10. JFrog explained that the critical rating was due to arbitrary code execution occurring in n8n’s main node, which allows complete control over the n8n instance.
n8n is an open-source workflow automation platform that lets users link applications, APIs, and services into complex p
Wiz
CVE-2026-1470 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-1470 [CRITICAL] CVE-2026-1470 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1470 :
NixOS vulnerability analysis and mitigation
n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime.
An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.
Source : NVD
## 9.9
Score
Published January 27, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
NixOS
n8n
H
2026-01-27
Published