What is the CVSS score of CVE-2026-49444?

CVE-2026-49444 has a CVSS 3.1 base score of 8.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N.

Which versions of n8n are affected by CVE-2026-49444?

n8n workflow automation platform contains a vulnerability affecting versions prior to 1.123.48, 2.21.8, and 2.22.4 that allows workflow editors to execute arbitrary code on infrastructure running the…. A patch is available.

How to fix or mitigate CVE-2026-49444?

24 hours: Inventory all n8n deployments with Python Task Runner enabled; identify users with workflow editor permissions. 7 days: Upgrade to n8n 1.123.48 (v1 line), 2.21.8 (v2.21 line), or 2.22.4 (v2.22+ lines). 30 days: Implement least-privilege access controls restricting workflow editor permissions to essential personnel only.

n8n CVE-2026-49444

HIGH

Improper Input Validation (CWE-20)

2026-06-16 https://github.com/n8n-io/n8n

GHSA-9pq8-m8gp-4p53

Python RCE

8.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.5 HIGH

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

vuln.today AI

9.9 CRITICAL

Network-reachable authenticated low-priv user (PR:L) escapes Python sandbox to run arbitrary code in the task runner container, yielding full C/I/A on a separate component, hence S:C and high impacts.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

Jun 16, 2026 - 18:23 vuln.today

Analysis Generated

Jun 16, 2026 - 18:23 vuln.today

DescriptionGitHub Advisory

Impact

An authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container.

This issue only affects instances where the Python Task Runner is enabled.

Patches

The issue has been fixed in n8n versions 1.123.48, 2.21.8, and 2.22.4. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations:

Limit workflow creation and editing permissions to fully trusted users only.
Disable the Python Code node by adding n8n-nodes-base.code to the NODES_EXCLUDE environment variable, or disable the Python Task Runner entirely.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Articles & Coverage 1

News 6 New Python Vulnerabilities - 2 Critical, 4 High Severity Jun 17, 2026

AnalysisAI

Sandbox escape in n8n workflow automation platform allows authenticated users with workflow edit permissions to break out of the Python Code Node sandbox and execute arbitrary code on the task runner container. The flaw affects n8n versions prior to 1.123.48, 2.21.8, and 2.22.4 when the Python Task Runner is enabled, with publicly available exploit code exists via the published GHSA advisory text. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Authenticate to n8n with editor role

Delivery

Create workflow with Python Code Node

Exploit

Submit sandbox-escape Python payload

Install

Trigger workflow execution

Escape Python sandbox in task runner

Execute

Execute arbitrary code in container

Impact

Access secrets and pivot internally

Recon

Authenticate to n8n with editor role

Delivery

Create workflow with Python Code Node

Exploit

Submit sandbox-escape Python payload

Install

Trigger workflow execution

Escape Python sandbox in task runner

Execute

Execute arbitrary code in container

Impact

Access secrets and pivot internally

Vulnerability AssessmentAI

Exploitation	Exploitation requires three concrete conditions drawn directly from the advisory: (1) the n8n instance must have the Python Task Runner explicitly enabled - it is not enabled in every deployment; (2) the attacker must hold an authenticated n8n account with permission to create or modify workflows containing a Python Code Node (n8n-nodes-base.code); and (3) the attacker must be able to reach the n8n web UI/API over the network (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N (score 8.5) reflects network-reachable exploitation by an authenticated low-privileged user with a scope change - consistent with breaking out of the sandbox into the host task runner. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker obtains or is granted a low-privileged n8n account with permission to create or edit workflows (for example, a workflow developer role in a multi-tenant SaaS-style internal deployment). They create or modify a workflow containing a Python Code Node with a crafted payload that abuses the sandbox weakness to escape the restricted Python interpreter and execute arbitrary commands inside the task runner container, then pivot to read secrets, environment variables, or reach internal services accessible from that container.
Remediation	Vendor-released patch: upgrade to n8n 1.123.48, 2.21.8, or 2.22.4 (or later in each branch), per advisory GHSA-9pq8-m8gp-4p53 at https://github.com/n8n-io/n8n/security/advisories/GHSA-9pq8-m8gp-4p53. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all n8n deployments with Python Task Runner enabled; identify users with workflow editor permissions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48039 CRITICAL Act Now POC

9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac

CVE-2026-20251 HIGH This Week

8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-48519 CRITICAL Act Now

9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co

CVE-2026-45833 CRITICAL Act Now

9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U

CVE-2026-49444 vulnerability details – vuln.today

Back

n8n CVE-2026-49444

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Impact

Patches

Workarounds

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code