N8n Security Update Advisory

Overview

 

We have released a security update to address a vulnerability in n8n. Users of affected products are advised to update to the latest version.
 

 

Affected Products

 

CVE-2026-0863

 

n8n Version: 1.123.14 and earlier
n8n versions: 2.0.0 and above but below 2.3.5
n8n versions: 2.4.0 or later but less than 2.4.2

 

CVE-2026-1470

 

n8n Version: Before 1.123.17
n8n versions: 2.0.0 and above but below 2.4.5
n8n versions: 2.5.0 or later but less than 2.5.1

 

 

Resolved Vulnerabilities

 

Sandbox escape vulnerability in the n8n Python Task Runner (CVE-2026-0863)
Remote code execution vulnerability due to sandbox bypass in the evaluation of workflow expressions in n8n (CVE-2026-1470)

 

 

Vulnerability Patches

Vulnerability patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2026-0863

 

n8n version: Update as per Referenced Sites[1]

 

CVE-2026-1470
n8n version: Updated with references to Referenced Sites[2]

 

 

References

 

[1] Commit b73a428
https://github.com/n8n-io/n8n/commit/b73a4283cb14e0f27ce19692326f362c7bf3da02
[2] Commit aa4d1e5
https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04
[3] JFSA-2026-001651077 – n8n Python runner sandbox escape
https://research.jfrog.com/vulnerabilities/n8n-python-runner-sandbox-escape-jfsa-2026-001651077/
[4] JFSA-2026-001651697 – n8n Expression Node RCE
https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/