Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Authenticated workflow editor required (PR:L); confidentiality limited to env vars in runner process (C:L); no integrity or availability impact; scope unchanged.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security validator bypass in the Python Code node. An authenticated user with permission to create or modify workflows containing a Python Code node can bypass the validator and access the task executor module namespace. The issue only affects self-hosted instances where the Python Task Runner is enabled; where N8N_BLOCK_RUNNER_ENV_ACCESS is configured to allow it, this can disclose environment variables accessible to the task runner process.
AnalysisAI
The Python Code node in n8n allows authenticated workflow editors to bypass the AST security validator by crafting Python code that evades an incomplete blocklist (CWE-184), reaching the task executor module namespace. Affected self-hosted n8n deployments running versions before 2.25.7 or 2.26.x before 2.26.2 with the Python Task Runner enabled are exposed to environment variable disclosure when N8N_BLOCK_RUNNER_ENV_ACCESS is not set to restrict access, potentially leaking API keys, database credentials, or other secrets injected at process startup. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following to be simultaneously true: (1) the n8n instance must be self-hosted - cloud-hosted n8n.cloud deployments are explicitly out of scope per the advisory; (2) the Python Task Runner must be enabled in the deployment configuration (this is not the default for most n8n installations); (3) N8N_BLOCK_RUNNER_ENV_ACCESS must be set to a permissive value rather than the restrictive setting that blocks runner environment access; and (4) the attacker must be an authenticated user holding permission to create or modify workflows that include Python Code nodes (PR:L per the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 score of 5.3 (Medium) with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N reflects network-accessible exploitation by a low-privileged user with limited confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated n8n user with workflow-edit rights opens or creates a workflow and inserts a Python Code node containing an AST construct specifically shaped to pass the incomplete blocklist validator while still referencing the task executor's module namespace at runtime. On a self-hosted instance where the Python Task Runner is active and N8N_BLOCK_RUNNER_ENV_ACCESS is permissive, the script executes and enumerates environment variables - potentially exposing database passwords, third-party API keys, or internal service tokens injected at container or process startup. … |
| Remediation | Upgrade n8n to version 2.25.7 or later on the 2.25.x track, or to 2.26.2 or later on the 2.26.x track, per the vendor security advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-jwm3-qcfw-c5pp. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40453
GHSA-x2rh-rhm8-cv8v