AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-vpcf-gvg4-6qwr: n8n: Expression Sandbox Escape Leads to RCE

criticalvulnerability

security

Source: GitHub Advisory DatabaseFebruary 25, 2026CVE-2026-27577

Summary

n8n, a workflow automation tool, has a vulnerability where authenticated users with permission to create or modify workflows can exploit expression evaluation (the process of interpreting code within workflow parameters) to execute arbitrary system commands on the host server. This is a serious security flaw because it allows attackers to run unintended commands on the underlying system.

Solution / Mitigation

Upgrade to n8n version 2.10.1, 2.9.3, or 1.123.22 or later. If immediate upgrade is not possible, limit workflow creation and editing permissions to fully trusted users only, and deploy n8n in a hardened environment with restricted operating system privileges and network access. However, these temporary mitigations do not fully remediate the risk.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.2%

Classification

Attack Type

Other

Attack SophisticationModerate

Impact (CIA+S)

integrityavailability

Affected Vendors

Affected Packages

n8n@>= 2.10.0, < 2.10.1 (fixed: 2.10.1)n8n@>= 2.0.0, < 2.9.3 (fixed: 2.9.3)n8n@< 1.123.22 (fixed: 1.123.22)

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

critical

CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi

First tracked: February 25, 2026 at 11:00 PM

Classified by LLM (prompt v3) · confidence: 85%