Two critical sandbox escape flaws in the popular n8n workflow automation platform are allowing authenticated users to achieve remote code execution on affected instances.
According to new JFrog findings, sandboxing safeguards meant to contain untrusted workflow logic can be bypassed, exposing enterprise automation environments to full host compromise. Enterprises that rely on n8n to orchestrate integrations, automate internal processes, and streamline cloud services and on-prem systems are at risk. JFrog’s researchers said n8n’s sandboxing mechanism can fail in specific configurations when users evaluate expressions or run custom scripts.
Sandbox escapes can expose sensitive credentials, APIs, and infrastructure from affected workflow engines.
Expression engine sandbox escape enables JavaScript RCE
One of the issues identified by JFrog affects n8n’s JavaScript expression engine, designed to evaluate user-supplied expressions during workflow execution safely. According to the researchers, flaws in how expressions are sanitized allow an attacker with permission to create or edit workflows to escape the sandbox and execute arbitrary JavaScript on the underlying host.
JFrog explained in a blog post that the expressions engine’s protections can be bypassed by carefully crafted payloads that exploit assumptions in the sandboxing logic. Once escaped, the attacker is no longer limited to expression evaluation and can run arbitrary commands in the context of the n8n service.
“When the expression engine encounters a {{}} block, it processes the enclosed content by bypassing it to a JavaScript Function constructor, which then executes the supplied code,” the researchers said. n8n uses an AST-based sandbox to neutralize dangerous JavaScript constructs before execution. A missed edge case in the outdated “with statement” allows attackers to bypass these checks and achieve arbitrary code execution.
The vulnerability has been assigned CVE-2026-1470 and carries a critical severity rating of CVSS 9.9 out of 10, owing to the ease with which sandbox restrictions can be broken and the level of access gained post-exploitation.
Python code node escape breaks isolation
JFrog also identified a separate sandbox escape affecting n8n’s Python Code node when the platform is configured to use its “Internal” execution mode. In this case, restrictions intended to contain Python code execution can be bypassed, again allowing authenticated users to run arbitrary code outside the sandbox.
The second issue, tracked as CVE-2026-0863, received a high severity rating of CVSS 8.5 out of 10. While the exploitation depends on specific configuration choices, JFrog noted that internal execution mode is commonly used in self-hosted enterprise deployments for performance and operational simplicity.
The researchers demonstrated how Python sandbox constraints can be evaded, granting access to system resources that should be off-limits.
Urgent need to update
Both issues have been patched, and enterprises running n8n should ensure they are on updated versions. Until patches are applied, organizations are recommended to carefully review who has permissions to create or edit workflows, particularly in environments where n8n has access to internal networks, secrets, or privileged APIs.
CVE-2026-1470 has been fixed in version 1.123.17, 2.4.5, and 2.5.1, while CVE-2026-0863 is resolved in version 1.123.14, 2.3.5, and 2.4.2. Upgrading to any of these versions mitigates the risk of exploitation, researchers noted.