CVE-2026-49444
HighCVSS 8.5Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
In n8n, an open source workflow automation platform, prior to versions 1.123.48, 2.21.8, and 2.22.4, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container.
Risk Assessment
An attacker can take control of the task runner container, leading to compromise of data confidentiality, integrity, and availability, and potentially escalating the attack to other infrastructure resources.
Recommendation
Immediately update n8n to version 1.123.48, 2.21.8, or 2.22.4, depending on the branch you are using. Restrict permissions to create and modify workflows to trusted users only.
Original NVD description (English source)
n8n is an open source workflow automation platform. Prior to 1.123.48, 2.21.8, and 2.22.4, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This vulnerability is fixed in 1.123.48, 2.21.8, and 2.22.4.

