CVE-2026-27577 is a critical vulnerability in the open-source workflow automation platform n8n that allows authenticated users with permissions to create or modify workflows to perform code injection attacks via crafted expressions in workflow parameters. The root cause is improper control over code generation during expression evaluation, categorized under CWE-94. This flaw enables attackers to execute arbitrary system commands on the host machine running n8n, potentially leading to full system compromise, data theft, or disruption of services. The vulnerability affects multiple n8n versions prior to 1.123.22, 2.9.3, and 2.10.1, with patches released in these versions. Exploitation requires authentication but no additional user interaction, and the attack complexity is low, making it a significant risk in environments where multiple users have workflow editing rights. The vulnerability was identified following earlier related issues (CVE-2025-68613), indicating ongoing challenges in securing expression evaluation in n8n. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) highlights network attack vector, low complexity, no attack or user interaction needed, and high impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported yet, but the severity and nature of the flaw warrant immediate attention. Temporary mitigations include restricting workflow creation and editing permissions to fully trusted users and deploying n8n in hardened environments with restricted OS privileges and network segmentation to limit potential damage. However, these are stopgap measures until upgrades can be applied.

The impact of CVE-2026-27577 is severe for organizations using n8n as a workflow automation platform. Successful exploitation allows an authenticated user with workflow editing permissions to execute arbitrary system commands on the host, potentially leading to full system compromise. This can result in unauthorized data access or exfiltration, disruption or destruction of workflows and data, lateral movement within the network, and deployment of further malware or ransomware. Given n8n’s role in automating business-critical processes, such compromise could disrupt operations, cause data breaches, and damage organizational reputation. The vulnerability’s network accessibility and low attack complexity increase the risk of exploitation in multi-user environments or where user credentials are compromised. Organizations relying on n8n in production environments, especially those with multiple collaborators or less restrictive access controls, face heightened risk. The lack of known exploits in the wild currently reduces immediate threat but does not diminish the urgency for remediation due to the critical nature of the vulnerability.

To mitigate CVE-2026-27577, organizations should prioritize upgrading n8n to versions 1.123.22, 2.9.3, 2.10.1, or later, where the vulnerability is patched. Until upgrades are feasible, restrict workflow creation and modification permissions strictly to fully trusted and vetted users to reduce the attack surface. Deploy n8n instances in hardened environments with minimal operating system privileges, employing containerization or sandboxing to limit the impact of potential exploitation. Implement network segmentation and firewall rules to restrict inbound and outbound traffic from the n8n host, minimizing lateral movement opportunities. Enable robust authentication mechanisms such as multi-factor authentication (MFA) for all users with elevated permissions. Regularly audit workflow definitions and user activities for suspicious or unauthorized changes. Monitor system logs and network traffic for anomalous command execution patterns indicative of exploitation attempts. Finally, maintain up-to-date backups of workflows and system configurations to enable recovery in case of compromise.