A critical vulnerability exists in the n8n workflow automation platform that allows an authenticated user to bypass a security sandbox and execute arbitrary commands on the server. Successful exploitation could lead to a complete compromise of the underlying system, allowing an attacker to steal sensitive data, disrupt operations, and pivot to other internal network resources. This vulnerability affects versions 1.0.0 up to, but not including, 2.0.0 and requires immediate attention.

The vulnerability is a sandbox bypass within the Python Code Node component, which utilizes Pyodide. An attacker with permissions to create or edit n8n workflows can craft a malicious Python script within the Code Node. This script can escape the intended Pyodide sandbox environment, granting the attacker the ability to execute arbitrary commands directly on the host operating system with the same privileges as the running n8n service account.

This vulnerability is rated as critical severity with a CVSS score of 9.9, reflecting the high potential for significant damage. Exploitation could lead to a complete compromise of the n8n host server. Potential consequences include the theft of sensitive data processed by workflows (such as API keys, credentials, and customer information), installation of ransomware or other malware, complete disruption of automated business processes, and the use of the compromised server as a launchpad for further attacks against the internal network.

Immediate Action: The primary remediation is to upgrade the n8n instance to the patched version 2.0.0 or later. After upgrading, security teams should monitor for any signs of post-exploitation activity and review historical access and execution logs for any suspicious workflow modifications or executions involving the Python Code Node.

Proactive Monitoring: Monitor the n8n host for suspicious child processes being spawned by the n8n parent process. Review n8n audit logs for unauthorized or unexpected modifications to workflows, particularly those containing a Code Node. Network monitoring should be configured to detect unusual outbound connections from the n8n server, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, apply one of the following workarounds:

• Disable the Code Node entirely by setting the environment variable: NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]"
• For n8n version 1.104.0 and later, disable only Python support in the Code Node by setting the environment variable: N8N_PYTHON_ENABLED=false
• Configure n8n to use the more secure task runner-based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.

Public Exploit Available: false

Given the critical severity (CVSS 9.9) of this vulnerability and its potential for complete system takeover, it is imperative that organizations take immediate action. The primary recommendation is to upgrade all vulnerable n8n instances to version 2.0.0 or newer without delay. If patching cannot be performed immediately, one of the specified compensating controls must be implemented as a temporary measure. Although this vulnerability is not currently listed on the CISA KEV list, its high impact and the low complexity for an authenticated attacker make it a high-priority issue that should be addressed urgently.