CVE-2026-0863 is a critical vulnerability identified in the n8n workflow automation tool, specifically within its python-task-executor component. The root cause is an improper neutralization of directives in dynamically evaluated code, classified under CWE-95 (Eval Injection). This flaw allows an attacker who has authenticated access with basic permissions to exploit string formatting and exception handling mechanisms to bypass the sandbox restrictions designed to isolate Python code execution. When exploited in the "Internal" execution mode, this leads to arbitrary and unrestricted Python code execution on the host operating system, effectively allowing full compromise of the n8n instance and potentially the underlying system. In contrast, when n8n operates in "External" execution mode, such as the official Docker image deployment, the arbitrary code execution is limited to a Sidecar container, which isolates the impact and reduces the risk of host compromise. The vulnerability affects multiple versions, including 2.0.0 and 2.4.0, indicating a broad exposure among users of n8n. The CVSS v3.1 score of 8.5 reflects the high severity, with attack vector being network-based, requiring low privileges but high attack complexity, no user interaction, and resulting in complete confidentiality, integrity, and availability compromise. Although no known exploits are reported in the wild yet, the potential impact and ease of exploitation by authenticated users make this a significant threat. The vulnerability highlights the risks of dynamic code evaluation without proper sanitization and the importance of robust sandboxing in automation platforms.

For European organizations, the impact of CVE-2026-0863 can be severe, especially for those relying on n8n for critical workflow automation and integration tasks. Successful exploitation can lead to full system compromise, data theft, unauthorized data manipulation, and disruption of business processes. Organizations operating n8n in "Internal" execution mode face the highest risk, as attackers can execute arbitrary code on the host OS, potentially pivoting to other internal systems. Even in "External" mode, compromise of the Sidecar container could lead to lateral movement or data leakage if container isolation is not properly enforced. Given the increasing adoption of automation tools in sectors like finance, healthcare, manufacturing, and public administration across Europe, the vulnerability could impact sensitive data and critical infrastructure. Additionally, compliance with GDPR and other data protection regulations could be jeopardized if personal data is exposed or altered. The lack of public exploits currently provides a window for mitigation, but the high severity score demands immediate attention to prevent potential targeted attacks.

European organizations should take the following specific mitigation steps: 1) Immediately identify and inventory all n8n instances, noting their execution mode (Internal vs External). 2) Upgrade n8n to a patched version as soon as it becomes available; if no patch exists yet, consider temporarily disabling the python-task-executor or restricting access to the Code block functionality. 3) Enforce strict access controls and monitor authenticated users with basic permissions, as they can exploit this vulnerability. 4) For instances running in Internal mode, consider migrating to External execution mode to leverage container isolation and reduce risk. 5) Implement network segmentation and firewall rules to limit access to n8n instances only to trusted users and systems. 6) Enable comprehensive logging and monitoring of n8n activities to detect anomalous code execution attempts. 7) Conduct regular security assessments and penetration tests focusing on automation platforms. 8) Educate developers and administrators about the risks of dynamic code evaluation and sandbox bypass techniques. 9) Review and harden container security policies if using External mode to prevent container breakout. 10) Prepare incident response plans specifically addressing potential automation platform compromises.