Researchers at Pillar Security have found two new critical vulnerabilities in self-hosted and cloud n8n deployments.
N8n is a popular open-source workflow automation platform powering hundreds of thousands of enterprise AI systems worldwide.
One of the flaws, tracked as CVE-2026-27493, can lead to full takeover of a server without the target clicking on anything and without the attacker needing to be authenticated.
Both vulnerabilities affect both n8n Cloud and self-hosted n8n instances.
Sandbox Escape Flaw: CVE-2026-27577 Explained
In December 2025, Pillar Security reported two maximum-severity (CVSS score of 10) sandbox escape vulnerabilities to n8n that could allow attackers to achieve complete server control and steal any stored credentials.
These findings prompted n8n to release an initial patch update in December followed by nine security fixes in early 2026. When applied, these security updates would fix the initial vulnerabilities found by Pillar Security.
However, the security researchers continued investigating n8n in February and found two additional flaws that were not addressed by the December-January security patches.
The first was initially reported by GitHub as CVE-2026-27577 on February 25.
This sandbox escape in the expression compiler is due to a missing case in the AST rewriter that lets the process slip through untransformed, allowing any authenticated attacker full remote code execution (RCE).
The Pillar Security researchers emphasized that, because n8n is a credential vault by function and stores keys to every system it connects to, a single sandbox escape exposes the n8n instance and every connected system.
“Post-exploitation is straightforward: the attacker reads the N8N_ENCRYPTION_KEY environment variable and uses it to decrypt every credential stored in n8n’s database: AWS keys, database passwords, OAuth tokens, API keys,” they wrote in a March 11 report.
CVE-2026-27577 has been assigned a critical severity rating of 9.4 (CVSS v4.0).
Read more: Maximum Severity “Ni8mare” Bug Lets Hackers Hijack n8n Servers
Zero-Click Unauthenticated Flaw: CVE-2026-27493 Explained
The second flaw was also reported by GitHub on February 25 and is tracked as CVE-2026-27493.
According to Pillar Security, CVE-2026-27493 takes it further than CVE-2026-27577.
This critical vulnerability (CVSS v4.0 rating of 9.5) is due to a double-evaluation bug in n8n’s Form nodes that turns any multi-step form that displays user input back into an expression injection point.
Since the form endpoints are public by design, an attacker doesn’t need any authentication, n8n account or workflow access to exploit it.
“A public ‘Contact Us’ form will run arbitrary shell commands if you type a payload into the Name field,” the Pillar Security researchers explained.
They also warned that for n8n Cloud and multi-tenant deployments, the impact extends beyond the individual instance.
“As demonstrated previously, sandbox escapes on n8n Cloud grant access to shared infrastructure, creating cross-tenant risk: a single public form on one tenant’s workflow could serve as the entry point. We assess the same cross-tenant risk applies based on the shared expression engine and infrastructure architecture confirmed during our earlier research,” the researchers added.
N8n Fixes and Mitigations
However, the Pillar Security specified that n8n Cloud should have already benefitted from automated fixes.
People self-hosting n8n instances are urged to update to versions 2.10.1, 2.9.3 or 1.123.22 of n8n, depending on their release channel.
Pillar Security also recommended users to rotate all stored credentials if a vulnerable workflow is found in their n8n environment.
“Any instance running an affected version could have exposed N8N_ENCRYPTION_KEY, which decrypts every credential stored in the platform,” the researchers said.
Read more: Critical and High Severity n8n Sandbox Flaws Allow RCE
