CVE-2026-1470 is a critical vulnerability in the n8n automation platform's workflow expression evaluation system. n8n allows users to create complex workflows using expressions that are dynamically evaluated at runtime. This vulnerability stems from improper neutralization of directives in these dynamically evaluated expressions (classified as CWE-95, Eval Injection). Authenticated users configuring workflows can inject malicious code into expressions, which the system evaluates without sufficient isolation from the underlying runtime environment. This flaw enables attackers to execute arbitrary code with the same privileges as the n8n process, potentially leading to full compromise of the affected instance. The attacker can access sensitive data, alter workflows to persist malicious behavior, and execute system-level commands, which could include lateral movement or data exfiltration. The vulnerability affects n8n versions 0, 2.0.0, and 2.5.0, and was published on January 27, 2026. The CVSS v3.1 score is 9.9 (critical), reflecting network attack vector, low attack complexity, required privileges (authenticated user), no user interaction, and complete impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the severity and ease of exploitation by authenticated users make this a high-priority threat. The lack of patch links suggests that fixes may not yet be publicly available, increasing urgency for mitigation.

For European organizations, the impact of CVE-2026-1470 can be severe. n8n is used for automating workflows that often integrate multiple business-critical systems and sensitive data sources. Exploitation could lead to unauthorized access to confidential information, disruption of automated business processes, and potential spread of malware or ransomware through compromised workflows. Organizations in sectors such as finance, healthcare, manufacturing, and government could face operational downtime, regulatory penalties under GDPR due to data breaches, and reputational damage. The ability to execute system-level commands also raises the risk of persistent backdoors or lateral movement within corporate networks. Since exploitation requires authentication, insider threats or compromised credentials increase risk. The critical severity and broad impact on confidentiality, integrity, and availability make this vulnerability a significant threat to European enterprises relying on n8n for automation.

1. Immediately restrict access to n8n instances to trusted users only and enforce strong authentication mechanisms, including multi-factor authentication (MFA). 2. Monitor and audit workflow configurations for suspicious or unexpected expressions, especially those created or modified by users with elevated privileges. 3. Apply network segmentation to isolate n8n servers from sensitive backend systems to limit potential lateral movement. 4. If patches or updates become available from n8n, apply them promptly. 5. Consider disabling or restricting the use of dynamic expression evaluation features until a secure patch is deployed. 6. Implement runtime application self-protection (RASP) or Web Application Firewalls (WAF) with custom rules to detect and block suspicious payloads targeting expression evaluation. 7. Regularly review and rotate credentials used by n8n workflows to reduce risk from compromised accounts. 8. Conduct internal penetration testing focused on workflow expression injection to identify and remediate vulnerable configurations. 9. Educate developers and administrators on secure workflow design to avoid unsafe expression usage.