Vulnerable AI platform n8n: full control over instances possible

Two critical vulnerabilities in the n8n AI workflow automation platform allow attackers to gain complete control over instances. The leaks allow sensitive data to be read and arbitrary code to be executed on the underlying system.

JFrog discovered the vulnerabilities, identified as CVE-2026-1470 and CVE-2026-0863. Despite requiring authentication, CVE-2026-1470 received a critical CVSS score of 9.9 out of 10. This high score is due to the possibility of full Remote Code Execution (RCE) on n8n’s main node.

n8n is considered an open source platform, although it uses a fair code license. The widely used platform allows users to connect applications, APIs, and services. With more than 200,000 weekly downloads on npm, the library is frequently used for task automation. The platform also supports integrations with AI and large language model services.

JavaScript and Python sandbox escapes

CVE-2026-1470 concerns an AST sandbox escape caused by incorrect processing of JavaScript with statements. A standalone constructor identifier can thus bypass the measures and reach Function, enabling arbitrary JavaScript execution. CVE-2026-0863 is a similar Python AST sandbox escape that combines format-string-based object introspection with the Python 3.10+ AttributeError.obj behavior. This again gives attackers access to restricted builtins and imports.

“These vulnerabilities demonstrate how difficult it is to securely sandbox dynamic, high-level languages such as JavaScript and Python,” according to JFrog. Even with multiple layers of validation and AST-based checks, subtle language features and runtime behaviors can be exploited.

Authentication required, but still critical

Exploiting CVE-2026-1470 requires authentication because permissions are needed to create or modify a workflow. Still, the flaw remains critical because non-administrators, who are considered safe in most implementations, can exploit it to gain infrastructure control.

The fixes are available in n8n versions 1.123.17, 2.4.5, and 2.5.1 for CVE-2026-1470, and versions 1.123.14, 2.3.5, and 2.4.2 for CVE-2026-0863. The n8n cloud platform has already fixed the issues. Only self-hosted versions with vulnerable releases are at risk.

Tip: Open source should help the EU break its dependence on the US

Vulnerable AI platform n8n: full control over instances possible

JavaScript and Python sandbox escapes

Authentication required, but still critical

Stay tuned, subscribe!

Digital Well-being Hub reveals surprises and paradoxes

Digital sovereignty feels good, but is it really?

Dynatrace Intelligence brings Autonomous Operations one step closer

Is the future of compute space-based?

SAP Business Network: $6.5 trillion B2B collaboration platform

From MSP to MIP: Pax8's vision for Managed Intelligence Providers

How Capgemini transformed HR for 400,000 employees globally

Workday CTO outlines bold AI agent strategy and major acquisitions

4 steps to create a future-proof data infrastructure

Secure networking: the foundation for the AI era

Why AI adoption requires a dedicated approach to cyber governance

Professional print materials for European tech events, why booth design still makes the difference

Appdevcon

Webdevcon

Dutch PHP Conference

De IT Afdeling van de toekomst

GITEX ASIA 2026

SAS Innovate 2026

Experience Synology’s latest enterprise backup solution

How to choose the right Enterprise Linux platform?

Enhance your data protection strategy for 2025

Strengthen your cybersecurity with DNS best practices