CVE-2026-27498
Received Received - Intake
Remote Code Execution via File Write in n8n Workflows

Publication date: 2026-02-25

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description
n8n is an open source workflow automation platform. Prior to versions 2.2.0 and 1.123.8, an authenticated user with permission to create or modify workflows could chain the Read/Write Files from Disk node with git operations to achieve remote code execution. By writing to specific configuration files and then triggering a git operation, the attacker could execute arbitrary shell commands on the n8n host. The issue has been fixed in n8n versions 2.2.0 and 1.123.8. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Read/Write Files from Disk node by adding `n8n-nodes-base.readWriteFile` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27498
EUVD
EUVD-2026-8760
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
n8n n8n to 1.123.8 (exc)
n8n n8n From 2.0.0 (inc) to 2.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

I don't know

Compliance Impact

I don't know

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated user with certain permissions to execute arbitrary shell commands remotely on the n8n host.

Such remote code execution can lead to unauthorized control over the system, data breaches, disruption of services, installation of malware, or further attacks within the network.

Executive Summary

This vulnerability affects the open source workflow automation platform n8n. Before versions 2.2.0 and 1.123.8, an authenticated user who had permission to create or modify workflows could exploit a combination of the Read/Write Files from Disk node and git operations to execute arbitrary shell commands on the host running n8n.

The attacker could write to specific configuration files and then trigger a git operation, which would lead to remote code execution on the n8n host.

This issue has been fixed in n8n versions 2.2.0 and 1.123.8. Temporary mitigations include limiting workflow creation and editing permissions to fully trusted users and disabling the Read/Write Files from Disk node by excluding it via an environment variable, but these do not fully remediate the risk.

Mitigation Strategies

To mitigate this vulnerability immediately, users should upgrade n8n to version 2.2.0 or 1.123.8 or later.

If upgrading is not immediately possible, administrators should limit workflow creation and editing permissions to fully trusted users only.

Additionally, disabling the Read/Write Files from Disk node by adding `n8n-nodes-base.readWriteFile` to the `NODES_EXCLUDE` environment variable can serve as a temporary mitigation.

Note that these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27498. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart