CVE-2026-27498
Remote Code Execution via File Write in n8n Workflows
Publication date: 2026-02-25
Last updated on: 2026-03-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | to 1.123.8 (exc) |
| n8n | n8n | From 2.0.0 (inc) to 2.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an authenticated user with certain permissions to execute arbitrary shell commands remotely on the n8n host.
Such remote code execution can lead to unauthorized control over the system, data breaches, disruption of services, installation of malware, or further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, users should upgrade n8n to version 2.2.0 or 1.123.8 or later.
If upgrading is not immediately possible, administrators should limit workflow creation and editing permissions to fully trusted users only.
Additionally, disabling the Read/Write Files from Disk node by adding `n8n-nodes-base.readWriteFile` to the `NODES_EXCLUDE` environment variable can serve as a temporary mitigation.
Note that these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Can you explain this vulnerability to me?
This vulnerability affects the open source workflow automation platform n8n. Before versions 2.2.0 and 1.123.8, an authenticated user who had permission to create or modify workflows could exploit a combination of the Read/Write Files from Disk node and git operations to execute arbitrary shell commands on the host running n8n.
The attacker could write to specific configuration files and then trigger a git operation, which would lead to remote code execution on the n8n host.
This issue has been fixed in n8n versions 2.2.0 and 1.123.8. Temporary mitigations include limiting workflow creation and editing permissions to fully trusted users and disabling the Read/Write Files from Disk node by excluding it via an environment variable, but these do not fully remediate the risk.