CVE-2026-27498 is a critical security vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting the n8n open source workflow automation platform. The flaw exists in versions prior to 2.2.0 and 1.123.8, where an authenticated user with permission to create or modify workflows can exploit the Read/Write Files from Disk node combined with git operations to achieve remote code execution on the host system. The attack vector involves writing malicious content to configuration files that are then processed by git commands executed by the platform, allowing arbitrary shell commands to run with the privileges of the n8n process. This vulnerability requires the attacker to have authenticated access with workflow editing rights, which lowers the barrier compared to requiring full administrative access but still limits exploitation to trusted or compromised users. The vulnerability has a CVSS 4.0 score of 9.0, indicating critical severity with network attack vector, low attack complexity, and partial privileges required. The scope and impact are high, affecting confidentiality, integrity, and availability of the host system. The vendor has addressed the issue in versions 2.2.0 and 1.123.8 by fixing the improper code generation control. Until upgrades are applied, administrators are advised to restrict workflow editing permissions strictly to trusted users and disable the Read/Write Files from Disk node by excluding it via the NODES_EXCLUDE environment variable. However, these mitigations are partial and do not fully remove the risk of exploitation. No known exploits in the wild have been reported yet, but the critical nature of the vulnerability warrants immediate attention.

The vulnerability allows remote code execution on the n8n host by an authenticated user with workflow editing permissions, potentially leading to full system compromise. Attackers could execute arbitrary commands, manipulate workflows, access sensitive data, or pivot to other systems within the network. This can result in data breaches, service disruption, unauthorized access to internal resources, and potential lateral movement in enterprise environments. Organizations relying on n8n for critical automation workflows may face operational downtime and reputational damage. Since the exploit requires authenticated access, insider threats or compromised user accounts pose significant risks. The ability to chain file write operations with git commands amplifies the attack impact, as git is commonly used in development and deployment pipelines, potentially affecting CI/CD processes integrated with n8n. The vulnerability's critical severity underscores the urgency for remediation to prevent exploitation and protect organizational assets.

1. Upgrade n8n to version 2.2.0 or later, or 1.123.8 or later, as these versions contain the official fix for CVE-2026-27498. 2. Restrict workflow creation and editing permissions strictly to fully trusted and vetted users to minimize the risk of malicious workflow injection. 3. Temporarily disable the Read/Write Files from Disk node by adding 'n8n-nodes-base.readWriteFile' to the NODES_EXCLUDE environment variable to reduce the attack surface until an upgrade is possible. 4. Implement strong authentication mechanisms, including multi-factor authentication, to reduce the risk of compromised user credentials. 5. Monitor workflow changes and git operations within n8n for suspicious activity or unauthorized modifications. 6. Conduct regular audits of user permissions and workflow configurations to detect potential abuse. 7. Isolate the n8n host in a segmented network zone with limited access to critical infrastructure to contain potential exploitation impact. 8. Maintain up-to-date backups of workflows and configuration files to enable recovery in case of compromise. These steps collectively reduce the likelihood and impact of exploitation beyond generic patching advice.