Agents
n8n AI Workflow Platform: Four CVSS 9.4-9.5 Vulnerabilities Including Unauthenticated RCE via Public Forms (CISA Deadline Today)
Pillar Security researcher Eilon Cohen disclosed four critical n8n vulnerabilities: CVE-2026-27577 (CVSS 9.4, expression sandbox escape via AST rewriter flaw), CVE-2026-27493 (CVSS 9.5, unauthenticated expression injection via public Form nodes), CVE-2026-27495 (CVSS 9.4, JavaScript Task Runner sandbox code injection), and CVE-2026-27497 (CVSS 9.4, Merge node SQL query exploitation). The Form node bug is especially dangerous — attackers can execute arbitrary shell commands through a public contact form with no authentication. Patched in n8n 2.10.1/2.9.3/1.123.22. CISA KEV remediation deadline for related CVE-2025-68613 is March 25 (today), with 71,537 exposed n8n instances observed worldwide.
↳ Follow the thread