What's Happening?
Researchers at Pillar Security have identified two critical vulnerabilities in the n8n platform, a widely used open-source workflow automation tool. These vulnerabilities, affecting both self-hosted and cloud deployments, could allow attackers to take
full control of a server without user interaction or authentication. The first flaw, CVE-2026-27577, involves a sandbox escape in the expression compiler, enabling remote code execution by authenticated attackers. The second, CVE-2026-27493, is a zero-click vulnerability that exploits a double-evaluation bug in n8n's Form nodes, allowing unauthenticated attackers to execute arbitrary shell commands. These vulnerabilities pose significant risks as n8n stores sensitive credentials, which could be exposed if exploited.
Why It's Important?
The discovery of these vulnerabilities is significant due to the widespread use of n8n in enterprise AI systems, where it acts as a credential vault. The potential for unauthorized access to sensitive data, such as AWS keys and database passwords, could have severe implications for businesses relying on n8n for workflow automation. The zero-click nature of one of the vulnerabilities increases the risk, as it can be exploited without user interaction, making it easier for attackers to compromise systems. This situation underscores the importance of robust security measures and timely updates to protect against such vulnerabilities.
What's Next?
In response to these findings, n8n has released patches to address the vulnerabilities. Users of self-hosted n8n instances are advised to update to the latest versions to mitigate the risks. Additionally, Pillar Security recommends rotating all stored credentials if a vulnerable workflow is detected. Organizations using n8n Cloud should benefit from automated fixes, but the cross-tenant risk remains a concern, highlighting the need for continuous monitoring and security assessments.
