AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-mmgg-m5j7-f83h: n8n has Arbitrary File Read via Python Code Node Sandbox Escape

highvulnerability

security

Source: GitHub Advisory DatabaseFebruary 25, 2026CVE-2026-27494

Summary

n8n, a workflow automation platform, has a vulnerability where authenticated users with permission to create workflows could escape the sandbox (an isolated environment that restricts what code can do) in the Python Code node to read arbitrary files or achieve RCE (remote code execution, where an attacker can run commands on a system they don't own). On default setups, this could compromise the entire n8n host machine.

Solution / Mitigation

The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can: (1) Limit workflow creation and editing permissions to fully trusted users only, or (2) Disable the Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack SophisticationModerate

Impact (CIA+S)

confidentialityintegrityavailability

Affected Vendors

Affected Packages

n8n@>= 2.10.0, < 2.10.1 (fixed: 2.10.1)n8n@>= 2.0.0, < 2.9.3 (fixed: 2.9.3)n8n@< 1.123.22 (fixed: 1.123.22)

Original source: https://github.com/advisories/GHSA-mmgg-m5j7-f83h

First tracked: February 25, 2026 at 11:00 PM

Classified by LLM (prompt v3) · confidence: 85%