CVE-2026-27493
Expression Injection in n8n Form Nodes Enables RCE
Publication date: 2026-02-25
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | to 1.123.22 (exc) |
| n8n | n8n | From 2.0.0 (inc) to 2.9.3 (exc) |
| n8n | n8n | From 2.10.0 (inc) to 2.10.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the n8n workflow automation platform prior to versions 2.10.1, 2.9.3, and 1.123.22. It is a second-order expression injection vulnerability in n8n's Form nodes. An unauthenticated attacker can inject and evaluate arbitrary n8n expressions by submitting specially crafted form data.
The vulnerability requires a specific workflow setup: a form node with a field that interpolates a value provided by an unauthenticated user, where the field value begins with an '=' character. This causes n8n to treat the input as an expression and evaluate it twice.
While the expression injection alone is limited to data accessible within the n8n expression context, if combined with a separate sandbox escape vulnerability, it could lead to remote code execution on the n8n host.
The issue has been fixed in later versions, and temporary mitigations include reviewing form node usage, disabling the Form node or Form Trigger node via environment variables, though these are not full fixes.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to inject and evaluate arbitrary expressions within n8n, potentially leading to unauthorized access to sensitive data within the n8n expression context.
If combined with another vulnerability that allows escaping the expression sandbox, it could escalate to remote code execution on the host running n8n, which could compromise the entire system.
Exploitation requires specific workflow configurations and knowledge or discovery of a vulnerable form, so the risk depends on the deployment and usage of n8n instances.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves reviewing the usage of form nodes in n8n workflows to identify if any form node fields interpolate values provided by unauthenticated users and if those values begin with an '=' character, which triggers expression evaluation.
There are no specific commands provided to detect this vulnerability on a network or system.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading n8n to versions 2.10.1, 2.9.3, or 1.123.22 or later, where the vulnerability is fixed.
If upgrading is not immediately possible, administrators should manually review form node usage for the vulnerable conditions, disable the Form node by adding 'n8n-nodes-base.form' to the NODES_EXCLUDE environment variable, and/or disable the Form Trigger node by adding 'n8n-nodes-base.formTrigger' to the NODES_EXCLUDE environment variable.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.