CVE-2026-0863
Sandbox Bypass in n8n Python Executor Enables Full Code Execution
Publication date: 2026-01-18
Last updated on: 2026-01-18
Assigner: JFrog
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Affected Vendors & Products
| Vendor | Product | Version |
|---|---|---|
| n8n-io | n8n | to 2.4.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0863 is a high-severity sandbox escape vulnerability in the n8n Python task runner component. It allows an attacker to bypass sandbox restrictions in the python-task-executor by exploiting string formatting and exception handling techniques. This enables the attacker to run arbitrary unrestricted Python code on the underlying operating system. Exploitation requires an authenticated user with basic permissions to run malicious code within a Python (Native) Code block. [2]
How can this vulnerability impact me? :
If the n8n instance is running in 'Internal' execution mode, this vulnerability can lead to a full instance takeover, allowing the attacker complete control over the n8n environment. If running in 'External' execution mode (such as the official Docker image), arbitrary code execution is limited to a Sidecar container, which significantly reduces the impact but still allows code execution within that container. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for unusual execution of Python code within n8n's Python (Native) Code block by authenticated users with basic permissions. Specifically, look for execution patterns that use string formatting and exception handling to bypass sandbox restrictions. A proof-of-concept exploit runs the 'uname' command via Python's os module. You can check for suspicious Python tasks or logs indicating execution of system commands like 'uname'. For example, monitoring logs for Python code execution or running commands to detect processes invoking 'uname' or other system commands from n8n's environment may help. However, no specific detection commands are provided. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading n8n to a fixed version beyond the affected versions (prior to 1.123.14, versions in [2.0.0, 2.3.5), and [2.4.0, 2.4.2)). If upgrading is not immediately possible, running n8n in 'External' execution mode (such as using the official Docker image) reduces the impact by confining arbitrary code execution to a Sidecar container rather than the main node. Restrict authenticated user permissions to prevent use of the Python (Native) Code block by users with basic permissions. Monitor and audit usage of Python code blocks until a patch is applied. [2]