CVE-2026-1470 & CVE-2026-0863: Severe Sandbox Escape Vulnerabilities Expose n8n Instances to RCE

Workflow automation platforms sit at the core of modern operations and handle sensitive data and system access. Recent n8n disclosures show how weak sandboxing can break these trust assumptions. Security researchers have identified two high-impact vulnerabilities, CVE-2026-1470 and CVE-2026-0863, that allow authenticated users to escape execution sandboxes and run arbitrary code on the underlying host.

These findings are especially relevant for organizations that rely on n8n to automate AI-driven and business-critical workflows. This blog provides a factual breakdown of what was discovered, who is affected, how the exploits work at a high level, and what steps defenders should take to reduce risk.

What Vulnerabilities Were Disclosed in n8n?

Researchers uncovered two separate eval injection flaws that directly impact how n8n executes user-supplied code. The first issue, CVE-2026-1470 (CVSS 9.9) is critical and affects JavaScript execution inside the expression engine. The second, CVE-2026-0863 (CVSS 8.5) is rated high severity and targets Python execution in the Code node when running in internal mode.

Both vulnerabilities allow authenticated users who can create or edit workflows to bypass sandbox restrictions. Once exploited, attackers can execute arbitrary commands, effectively taking control of the n8n instance.

How Does CVE-2026-1470 Enable JavaScript-Based RCE?

The JavaScript vulnerability stems from gaps in the abstract syntax tree (AST) validation used to secure n8n’s expression engine. While the platform blocks common escape techniques such as direct constructor access and prototype manipulation, a deprecated JavaScript feature – the with statement – was still supported by the parser.

Details of CVE-2026-1470 (SOCRadar Vulnerability Intelligence)

By carefully crafting expressions that redefine scope, attackers can trick the sandbox into treating dangerous objects as harmless identifiers. This allows access to the Function constructor and ultimately enables execution of arbitrary system commands on the main n8n node. Because this happens in the core process, the impact is immediate and severe.

How Does CVE-2026-0863 Bypass Python Sandbox Restrictions?

The Python issue highlights how language evolution can weaken static security controls. n8n relies on an AST-based sandbox that blocks imports, built-in functions, and attribute access. However, subtle changes introduced in Python 3.10 added new properties to exception objects.

Details of CVE-2026-0863 (SOCRadar Vulnerability Intelligence)

Attackers can abuse string formatting and exception handling to retrieve internal objects that were assumed to be inaccessible. By chaining these behaviors, it becomes possible to recover restricted built-ins, import operating system modules, and execute commands. When n8n runs Python tasks in internal mode, this code executes directly on the host, compromising the entire instance.

Who Is Affected and Which Versions Are Vulnerable?

Any self-hosted or cloud deployment running unpatched versions is at risk if authenticated users can create workflows. The affected versions are broad, but fixes are available.

CVE-2026-1470 is patched in versions 1.123.17, 2.4.5, and 2.5.1.
CVE-2026-0863 is patched in versions 1.123.14, 2.3.5, and 2.4.2.

SOCRadar’s Vulnerability Intelligence

To manage risks stemming from vulnerabilities like sandbox escapes and Remote Code Execution (RCE), organizations can rely on dedicated security intelligence capabilities. SOCRadar’s Cyber Threat Intelligence module helps track newly disclosed flaws affecting platforms such as n8n, including version-level exposure details and patch guidance. In parallel, theAttack Surface Management module enables teams to identify internet-facing automation instances and monitor them for known weaknesses.

What Defensive Actions Should Organizations Take Now?

Immediate patching is the most important step. Administrators should also:

Review whether Python tasks are running in internal mode and migrate to external execution where possible to improve isolation.
Limit who can create or modify workflows, especially in shared environments.
Continuous monitoring of automation platforms should be treated with the same priority as other production services, given their access to sensitive systems.

From a detection perspective, security teams can benefit from community-shared tooling. Public Nuclei templates published on GitHub help defenders identify vulnerable instances and validate remediation efforts:

For a deeper technical walkthrough of the research, the original analysis by JFrog Security Research is available here.