Critical Zero-Click Flaw in n8n Allows Full Server Compromise

Researchers at Pillar Security have disclosed two critical vulnerabilities in n8n, the popular open-source workflow automation platform used by hundreds of thousands of enterprise AI systems worldwide. The most severe flaw, tracked as CVE-2026-27493, carries a CVSS v4.0 score of 9.5 and allows unauthenticated, zero-click remote code execution through a double-evaluation bug in n8n's Form nodes. The second vulnerability, CVE-2026-27577 (CVSS 9.4), is a sandbox escape in the expression compiler that enables authenticated attackers to achieve full server takeover and decrypt all stored credentials.

The zero-click vulnerability (CVE-2026-27493) is particularly dangerous because it requires no user interaction and no authentication. According to Pillar Security, the bug stems from a double-evaluation issue in Form nodes that turns any multi-step form displaying user input back into an expression injection point. Since form endpoints are public by design, an attacker can simply type a malicious payload into a form field—such as a 'Contact Us' form's Name field—and trigger arbitrary shell commands on the server. "A public 'Contact Us' form will run arbitrary shell commands if you type a payload into the Name field," the researchers explained.

The second flaw, CVE-2026-27577, is a sandbox escape in n8n's expression compiler caused by a missing case in the AST rewriter. This allows any authenticated attacker to achieve full remote code execution. Because n8n functions as a credential vault, storing keys to every system it connects to, a successful sandbox escape exposes not only the n8n instance but every connected system. "Post-exploitation is straightforward: the attacker reads the N8N_ENCRYPTION_KEY environment variable and uses it to decrypt every credential stored in n8n's database: AWS keys, database passwords, OAuth tokens, API keys," the researchers wrote in their March 11 report.

Pillar Security emphasized that for n8n Cloud and multi-tenant deployments, the impact extends beyond individual instances. "As demonstrated previously, sandbox escapes on n8n Cloud grant access to shared infrastructure, creating cross-tenant risk: a single public form on one tenant's workflow could serve as the entry point," the researchers warned. They assessed that the same cross-tenant risk applies based on the shared expression engine and infrastructure architecture confirmed during their earlier research.

These findings follow an earlier round of vulnerabilities discovered by Pillar Security in December 2025, which prompted n8n to release an initial patch update followed by nine security fixes in early 2026. However, the researchers continued investigating and found these two additional flaws that were not addressed by the earlier patches. Both CVE-2026-27493 and CVE-2026-27577 were reported via GitHub on February 25, 2026.

n8n has released patches for both vulnerabilities in versions 2.10.1, 2.9.3, and 1.123.22, depending on the release channel. The company noted that n8n Cloud should have already benefitted from automated fixes. Users self-hosting n8n instances are urged to update immediately and rotate all stored credentials if a vulnerable workflow is found in their environment. "Any instance running an affected version could have exposed N8N_ENCRYPTION_KEY, which decrypts every credential stored in the platform," the researchers warned.

The disclosure of these vulnerabilities highlights the growing risk surface of workflow automation platforms that act as credential hubs. As organizations increasingly rely on tools like n8n to connect AI systems, cloud services, and databases, a single sandbox escape can cascade into a full compromise of the enterprise's digital infrastructure. The zero-click, unauthenticated nature of CVE-2026-27493 makes it especially urgent for organizations to patch immediately, as public-facing forms are a common entry point for attackers.