n8n | Breaking Cybersecurity News | The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting n8n to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2025-68613 (CVSS score: 9.9), concerns a case of expression injection that leads to remote code execution. The security shortcoming was patched by n8n in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0. CVE-2025-68613 is the first n8n vulnerability to be placed in the KEV catalog. "N8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution," CISA said. According to the maintainers of the workflow automation platform, the vulnerability could be weaponized by an authenticated attacker to execute arbitrary code with the privileges of the n8n process. Successful exploitation of the flaw could result in a c...

Cybersecurity researchers have disclosed details of two now-patched security flaws in the n8n workflow automation platform, including two critical bugs that could result in arbitrary command execution. The vulnerabilities are listed below - CVE-2026-27577 (CVSS score: 9.4) - Expression sandbox escape leading to remote code execution (RCE) CVE-2026-27493 (CVSS score: 9.5) - Unauthenticated expression evaluation via n8n's Form nodes "CVE-2026-27577 is a sandbox escape in the expression compiler: a missing case in the AST rewriter lets process slip through untransformed, giving any authenticated expression full RCE," Pillar Security researcher Eilon Cohen, who discovered and reported the issues, said in a report shared with The Hacker News. The cybersecurity company described CVE-2026-27493 as a "double-evaluation bug" in n8n's Form nodes that could be abused for expression injection by taking advantage of the fact that the form endpoints are publi...

Cybersecurity researchers have disclosed two new security flaws in the n8n workflow automation platform, including a crucial vulnerability that could result in remote code execution. The weaknesses, discovered by the JFrog Security Research team, are listed below - CVE-2026-1470 (CVSS score: 9.9) - An eval injection vulnerability that could allow an authenticated user to bypass the Expression sandbox mechanism and achieve full remote code execution on n8n's main node by passing specially crafted JavaScript code CVE-2026-0863 (CVSS score: 8.5) - An eval injection vulnerability that could allow an authenticated user to bypass n8n's python-task-executor sandbox restrictions and run arbitrary Python code on the underlying operating system Shachar Menashe, JFrog's vice president of security research, told The Hacker news that one of the reasons for CVE-2026-1470's high CVSS score despite requiring authentication is that "any user of n8n can exploit this issu...

Threat actors have been observed uploading a set of eight packages on the npm registry that masqueraded as integrations targeting the n8n workflow automation platform to steal developers' OAuth credentials. One such package, named "n8n-nodes-hfgjf-irtuinvcm-lasdqewriit," mimics a Google Ads integration, and prompts users to link their advertising account in a seemingly legitimate form and then siphon OAuth credentials to servers under the attackers' control. "The attack represents a new escalation in supply chain threats," Endor Labs said in a report published last week. "Unlike traditional npm malware, which often targets developer credentials, this campaign exploited workflow automation platforms that act as centralized credential vaults – holding OAuth tokens, API keys, and sensitive credentials for dozens of integrated services like Google Ads, Stripe, and Salesforce in a single location." The complete list of identified packages, which ...