CVE Catalog

CVE-2026-56777

MediumCVSS 5.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

A vulnerability in n8n before version 2.25.7 and 2.26.x before 2.26.2 allows bypassing the AST security validator in the Python Code node. An authenticated user with permission to create or modify workflows containing this node can access the task executor module namespace.

Risk Assessment

The risk involves potential disclosure of environment variables accessible to the task runner process, which could lead to leakage of sensitive configuration data. This issue only affects self-hosted instances with Python Task Runner enabled and N8N_BLOCK_RUNNER_ENV_ACCESS configured to allow it.

Recommendation

Immediately upgrade n8n to version 2.25.7, 2.26.2, or later. If an upgrade is not possible, consider disabling the Python Task Runner or restricting access to the Python Code node for unauthorized users.

Original NVD description (English source)

n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security validator bypass in the Python Code node. An authenticated user with permission to create or modify workflows containing a Python Code node can bypass the validator and access the task executor module namespace. The issue only affects self-hosted instances where the Python Task Runner is enabled; where N8N_BLOCK_RUNNER_ENV_ACCESS is configured to allow it, this can disclose environment variables accessible to the task runner process.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS