Skip to content
CVSS 8.8 · HIGH

CVE-2026-42234

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Ver en NVD

Análisis

n8n versions prior to 1.123.32 are vulnerable to a sandbox escape in the Python Code Node. An authenticated user with permissions to create or edit workflows can execute arbitrary code on the task runner container. Users of n8n should update to the latest patched version to prevent internal privilege escalation.

Severidad

Puntaje: 8.8(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-94

EPSS

Probabilidad de explotación (próx. 30 días): 0.0007 (0.1%)
Percentil: 21.2%
EPSS: 2026-05-06

Afecta

n8n:n8n

Descripción técnica

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

Publicada: 4/5/2026, 19:16:06
Última modificación: 6/5/2026, 18:05:52

Referencias

InicioEventosBlogRecursosEquipo