Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Impact
An authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container.
- This issue only affects instances where the Python Task Runner is enabled.
Patches
The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Disable the Python Code node by adding
n8n-nodes-base.codeto theNODES_EXCLUDEenvironment variable, or disable the Python Task Runner entirely.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
AnalysisAI
Sandbox escape in n8n's Python Task Runner enables authenticated workflow editors to execute arbitrary code on the task runner container. This vulnerability (CWE-94: Improper Control of Generation of Code) affects n8n instances with the Python Code Node feature enabled, allowing attackers with workflow creation/modification permissions to break out of the Python sandbox. Vendor-released patches are available in versions 1.123.32, 2.17.4, and 2.18.1. No public exploit identified at time of analysis, though the technical details in the GitHub advisory provide sufficient information for exploitation by authenticated users.
Technical ContextAI
n8n is a workflow automation platform (npm package n8n) that includes a Python Code Node for executing Python scripts within workflows. The Python Task Runner executes this code in a sandboxed container environment to prevent unauthorized system access. This vulnerability (CWE-94: Improper Control of Generation of Code / Code Injection) represents a sandbox escape flaw in the Python Task Runner implementation. The affected component allows authenticated users to bypass sandbox restrictions through crafted Python code within workflow nodes, achieving arbitrary code execution at the container level. The vulnerability is specific to the Python Task Runner feature - installations not using this feature or those with the Python Code node disabled are not affected. The affected npm package versions span three release branches: legacy 1.x (< 1.123.32), and current 2.x branches (2.17.0-2.17.3 and 2.18.0).
RemediationAI
Upgrade n8n to a patched version immediately: version 1.123.32 for users on the 1.x branch, version 2.17.4 for those on 2.17.x, or version 2.18.1 for those on 2.18.x or later. Vendor-released patches are confirmed in these versions per GitHub advisory GHSA-44v6-jhgm-p3m4. If immediate upgrade is not feasible, implement compensating controls with awareness of their limitations: restrict workflow creation and editing permissions to only fully trusted administrators (reduces attack surface but increases operational friction and may conflict with legitimate use cases), disable the Python Code node by adding n8n-nodes-base.code to the NODES_EXCLUDE environment variable (eliminates Python execution capability but breaks workflows dependent on Python nodes), or disable the Python Task Runner entirely via configuration (same impact as disabling the node). The vendor explicitly states these workarounds 'do not fully remediate the risk' and should only be temporary measures. Organizations should audit existing workflows for suspicious Python code during the remediation window, review user accounts with workflow edit permissions, and monitor task runner container logs for unusual activity. No other mitigations fully address the sandbox escape without patching.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27109
GHSA-44v6-jhgm-p3m4