GHSA-jjpj-p2wh-qf23: n8n has a Sandbox Escape in its JavaScript Task Runner
Summary
n8n, a workflow automation tool, has a sandbox escape vulnerability in its JavaScript Task Runner that lets authenticated users run code outside the sandbox (a restricted environment for running untrusted code). On default setups, this could give attackers full control of the n8n server, while on systems using external task runners, attackers could impact other workflows.
Solution / Mitigation
Upgrade to n8n version 2.10.1, 2.9.3, or 1.123.22 or later. If immediate upgrade is not possible, temporarily limit workflow creation and editing permissions to trusted users only, or use external runner mode by setting N8N_RUNNERS_MODE=external to reduce potential damage.
Vulnerability Details
EPSS: 0.1%
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-jjpj-p2wh-qf23
First tracked: February 25, 2026 at 11:00 PM
Classified by LLM (prompt v3) · confidence: 75%