CVE-2026-42234
Undergoing Analysis Undergoing Analysis - In Progress
Python Code Node Sandbox Escape in n8n

Publication date: 2026-05-04

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42234
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
n8n n8n to 1.123.32 (exc)
n8n n8n 2.18.0
n8n n8n From 2.17.0 (inc) to 2.17.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the n8n workflow automation platform in versions prior to 1.123.32, 2.17.4, and 2.18.1. An authenticated user who has permission to create or modify workflows containing a Python Code Node can escape the sandbox environment. This escape allows the user to execute arbitrary code on the task runner container, potentially compromising the system. The vulnerability only applies if the Python Task Runner feature is enabled.

Impact Analysis

The vulnerability can lead to arbitrary code execution on the task runner container by an authenticated user with certain permissions. This means an attacker could run malicious code, potentially leading to unauthorized access, data manipulation, disruption of services, or further compromise of the system hosting the n8n platform.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade your n8n installation to one of the patched versions: 1.123.32, 2.17.4, or 2.18.1.

Additionally, if possible, disable the Python Task Runner feature until the upgrade is applied, as the vulnerability only affects instances where this feature is enabled.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42234. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart