Two critical- and high-severity vulnerabilities in the n8n AI workflow automation platform could allow attackers to execute arbitrary code remotely, JFrog reports.
The issues, tracked as CVE-2026-1470 (CVSS score of 9.9) and CVE-2026-0863 (CVSS score of 8.5), impacted n8n’s sandbox mechanism and could be abused via weaknesses in the Abstract Syntax Tree (AST) sanitization logic.
CVE-2026-1470, JFrog notes, was discovered in the expression evaluation engine and could allow attackers to execute arbitrary JavaScript code.
N8n uses an AST-based sandbox to validate JavaScript input and neutralize potentially dangerous nodes before execution. Several validation layers have been implemented to mitigate known JavaScript sandbox escape vectors.
However, because the AST parser still supports a deprecated statement, an attacker can supply an identifier that allows them to achieve arbitrary code execution in n8n’s main node.
This allows an attacker to completely take over the n8n instance, JFrog says.
CVE-2026-0863, the cybersecurity firm explains, was discovered in the Python code execution flow of the Code node, which is also subjected to an AST sandbox to prevent takeover while running under ‘Internal’ configuration.
“If the n8n instance is running in the ‘Internal’ configuration, Python code is executed as a subprocess on the main node itself, allowing a successful exploit to compromise the entire n8n instance,” JFrog explains.
The cybersecurity firm discovered that it was possible to abuse gaps in AST-based sandboxes to bypass the implemented protections and achieve remote code execution (RCE) to completely escape the sandbox.
“These vulnerabilities highlight how difficult it is to safely sandbox dynamic, high‑level languages such as JavaScript and Python. Even with multiple validation layers, deny lists, and AST‑based controls in place, subtle language features and runtime behaviors can be leveraged to bypass security assumptions,” JFrog explains.
The two vulnerabilities were addressed in n8n versions 1.123.17, 2.4.5, and 2.5.1, and 1.123.14, 2.3.5, and 2.4.2, respectively.
Related: Critical Vulnerability Exposes n8n Instances to Takeover Attacks
Related: APTs, Cybercriminals Widely Exploiting WinRAR Vulnerability
Related: Organizations Warned of Exploited Zimbra Collaboration Vulnerability
Related: TP-Link Patches Vulnerability Exposing VIGI Cameras to Remote Hacking
