n8n fixes critical expression sandbox escape that can lead to RCE (CVE-2026-27577)

What happened

A new CVE record, CVE-2026-27577, was published for n8n describing an expression evaluation sandbox escape that can result in unintended system command execution on the host running n8n.

The advisory notes this as additional exploits identified and patched following CVE-2025-68613, and assigns a CVSS v4.0 base score of 9.4 (Critical) with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H.

Who is impacted

Self-hosted n8n deployments where users can create or modify workflows are impacted. The advisory describes the attacker as an authenticated user with permission to create or modify workflows who can abuse crafted expressions in workflow parameters.

Affected version ranges listed in the CVE record:

• < 1.123.22
• >= 2.0.0, < 2.9.3
• >= 2.10.0, < 2.10.1

What to do now

• Upgrade to a fixed release for your branch:
  • 1.x: 1.123.22
  • 2.x stable: 2.9.3
  • 2.x beta: 2.10.1
• If you cannot upgrade immediately (temporary mitigations listed in the record):
  • Limit workflow creation/editing permissions to fully trusted users only.
  • Run n8n in a hardened environment with restricted OS privileges and network access to reduce blast radius.

Additional Information

• Weakness classification: CWE-94 (Improper Control of Generation of Code / Code Injection).
• References in the CVE record include the GitHub advisory GHSA-vpcf-gvg4-6qwr, prior advisory GHSA-v98v-ff95-f3cp, and associated fix commits 1479aab2d32fe0ee087f82b9038b1035c98be2f6 and 9e5212ecbc5d2d4e6f340b636a5e84be6369882e.