CVE Catalog

CVE-2026-49444

HighCVSS 8.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile — higher than 28% of all known CVEs

Summary

In n8n, an open source workflow automation platform, prior to versions 1.123.48, 2.21.8, and 2.22.4, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container.

Risk Assessment

An attacker can take control of the task runner container, leading to compromise of data confidentiality, integrity, and availability, and potentially escalating the attack to other infrastructure resources.

Recommendation

Immediately update n8n to version 1.123.48, 2.21.8, or 2.22.4, depending on the branch you are using. Restrict permissions to create and modify workflows to trusted users only.

Original NVD description (English source)

n8n is an open source workflow automation platform. Prior to 1.123.48, 2.21.8, and 2.22.4, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This vulnerability is fixed in 1.123.48, 2.21.8, and 2.22.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS