CVE-2026-27498 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting the n8n open source workflow automation platform. The flaw exists in versions prior to 2.2.0 and 1.123.8, where an authenticated user with permissions to create or modify workflows can exploit the Read/Write Files from Disk node in conjunction with git operations to achieve remote code execution on the host system. The attack vector involves writing malicious content to configuration files that are subsequently processed by git commands, enabling arbitrary shell command execution. This vulnerability does not require user interaction but does require authenticated access with specific permissions, which may be granted to trusted users or insiders. The issue stems from insufficient sanitization and control over code generation and execution within workflow nodes, allowing injection of shell commands. The vulnerability has been addressed in n8n versions 2.2.0 and 1.123.8 by improving input validation and restricting unsafe operations. Until upgrades can be applied, administrators are advised to limit workflow creation and editing permissions strictly to trusted users and disable the Read/Write Files from Disk node by excluding it via the NODES_EXCLUDE environment variable. However, these mitigations are partial and do not fully remove the risk of exploitation. The vulnerability has a CVSS 4.0 score of 9.0, indicating a critical severity with network attack vector, low attack complexity, and partial privileges required. No known exploits in the wild have been reported yet, but the potential impact is severe due to the ability to execute arbitrary code remotely on the host system.

The impact of CVE-2026-27498 is severe for organizations using the n8n platform for workflow automation, especially in environments where n8n is exposed to multiple users or integrated with critical infrastructure. Successful exploitation allows an attacker with limited privileges to execute arbitrary shell commands on the host, potentially leading to full system compromise, data theft, service disruption, or lateral movement within the network. This can affect confidentiality, integrity, and availability of systems and data. Since n8n is often used to automate business-critical processes, disruption or compromise could have cascading effects on operations. The vulnerability's ease of exploitation and high privileges gained make it attractive for attackers. Organizations that do not promptly patch or apply mitigations risk unauthorized access, data breaches, and operational outages. The threat is amplified in multi-tenant or cloud-hosted deployments where multiple users have workflow editing rights.

1. Upgrade all n8n instances to version 2.2.0 or later, or 1.123.8 or later, as these versions contain the fix for this vulnerability. 2. Until upgrades can be performed, restrict workflow creation and modification permissions strictly to fully trusted and vetted users to reduce the attack surface. 3. Disable the Read/Write Files from Disk node by adding 'n8n-nodes-base.readWriteFile' to the NODES_EXCLUDE environment variable to prevent exploitation via this node. 4. Implement strict access controls and monitoring on n8n instances, including logging workflow changes and git operations to detect suspicious activity. 5. Isolate n8n hosts in segmented network zones with limited access to critical systems to contain potential compromise. 6. Conduct regular security audits and penetration testing focused on workflow automation platforms. 7. Educate administrators and users about the risks of granting workflow editing permissions and encourage the principle of least privilege. These steps go beyond generic advice by focusing on node-level controls, environment variable configurations, and operational security practices specific to n8n.