CVE-2026-27493 is a critical vulnerability in n8n, an open-source workflow automation platform widely used for integrating and automating tasks. The issue is a second-order expression injection vulnerability located in the Form nodes of n8n versions prior to 2.10.1, 2.9.3, and 1.123.22. The vulnerability stems from the way n8n processes form input fields that begin with an '=' character, which causes n8n to treat the input as an expression and evaluate it twice. An unauthenticated attacker can submit crafted form data with this prefix to inject arbitrary n8n expressions. However, exploitation requires a specific workflow setup: a form node must interpolate a user-controlled value as an expression, which is not typical and would likely be noticed by workflow designers. The expression injection itself is constrained to the n8n expression context and does not directly allow arbitrary code execution. Nevertheless, if combined with a separate sandbox escape vulnerability, it can escalate to remote code execution on the host system running n8n. This chaining significantly raises the risk, enabling attackers to execute arbitrary commands remotely without authentication. The vulnerability is tracked under CWE-94 (Improper Control of Generation of Code) and CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code). The issue was publicly disclosed on February 25, 2026, with a CVSS 4.0 score of 9.5, reflecting its critical severity and ease of exploitation without user interaction or privileges. No known exploits have been reported in the wild yet. The recommended remediation is to upgrade n8n to versions 2.10.1, 2.9.3, or 1.123.22 or later. If immediate upgrading is not feasible, administrators should manually review workflows for vulnerable form nodes, disable the Form node by adding 'n8n-nodes-base.form' to the NODES_EXCLUDE environment variable, and/or disable the Form Trigger node similarly. These mitigations reduce risk but do not fully eliminate it. Organizations should prioritize patching to prevent potential exploitation, especially in public-facing or internet-accessible n8n instances.

The impact of CVE-2026-27493 is severe for organizations using vulnerable versions of n8n, particularly those exposing workflow forms to unauthenticated users. Successful exploitation can lead to arbitrary code execution on the host system, compromising confidentiality, integrity, and availability. Attackers could execute malicious commands, deploy malware, exfiltrate sensitive data, or disrupt automated workflows critical to business operations. Given n8n's role in automating integrations and processes, a compromise could cascade, affecting connected systems and services. The vulnerability requires a specific workflow configuration and chaining with another sandbox escape, which may limit widespread exploitation but does not eliminate risk. Organizations running n8n in production, especially in cloud or internet-facing environments, face heightened risk of targeted attacks. The lack of authentication and user interaction requirements further increase the threat level. Although no known exploits are reported yet, the critical CVSS score and potential for remote code execution necessitate urgent remediation to prevent severe operational and security consequences.

1. Upgrade n8n immediately to versions 2.10.1, 2.9.3, or 1.123.22 or later, which contain the fix for this vulnerability. 2. Conduct a thorough manual review of all workflows using Form nodes to identify any that interpolate user input as expressions, especially those accepting inputs starting with '='. 3. Temporarily disable the Form node by adding 'n8n-nodes-base.form' to the NODES_EXCLUDE environment variable to prevent usage of vulnerable nodes. 4. Similarly, disable the Form Trigger node by adding 'n8n-nodes-base.formTrigger' to NODES_EXCLUDE to reduce attack surface. 5. Restrict access to n8n instances, especially those exposed to unauthenticated users, by implementing network-level controls such as VPNs, firewalls, or IP whitelisting. 6. Monitor logs and workflow executions for suspicious activity indicative of expression injection attempts or sandbox escape exploits. 7. Educate workflow designers to avoid using expressions that interpolate user input directly, and implement input validation or sanitization where possible. 8. Stay informed about any emerging exploits or patches related to sandbox escape vulnerabilities that could be chained with this issue. These steps collectively reduce risk and help prevent exploitation until full remediation is applied.