Vulnerabilities ›

CVE-2026-42234

High

CWE-94 — Weakness Type

                    Published: May 4, 2026                      ·  Modified: May 11, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.

🤖 AI Executive Summary

n8n workflow automation platform versions prior to 1.123.32, 2.17.4, and 2.18.1 contain a critical sandbox escape vulnerability in Python Code Nodes that allows authenticated users to execute arbitrary code on task runner containers. This vulnerability requires Python Task Runner to be enabled and affects enterprise deployments. The high CVSS score of 8.8 indicates significant risk to organizations using n8n for critical automation workflows.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 8, 2026 16:33

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using n8n for critical automation workflows face significant risk, particularly in: Banking sector (SAMA-regulated institutions using n8n for transaction processing and reporting automation), Government agencies (NCA oversight entities using workflow automation for compliance and administrative processes), Healthcare sector (MOH facilities using n8n for patient data workflows), Energy sector (ARAMCO and related entities using automation for operational workflows), and Telecommunications (STC and other operators using n8n for service automation). The vulnerability allows authenticated insiders or compromised accounts to execute arbitrary code, potentially leading to data exfiltration, system compromise, and operational disruption.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare Energy and Utilities Telecommunications Manufacturing Retail and E-commerce

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application (n8n workflow interface) T1210 - Exploitation of Remote Services (Python Task Runner) T1059 - Command and Scripting Interpreter (Python Code Node execution) T1548 - Abuse Elevation Control Mechanism (sandbox escape) T1611 - Escape to Host (container escape to task runner) T1021 - Remote Services (lateral movement from task runner) T1041 - Exfiltration Over C2 Channel (data exfiltration post-compromise)

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all n8n instances in your environment and document their versions

2. Disable Python Task Runner if not critical to operations

3. Restrict workflow creation/modification permissions to trusted administrators only

4. Monitor Python Code Node usage in existing workflows

5. Review audit logs for suspicious workflow modifications



PATCHING GUIDANCE:

1. Upgrade to patched versions: 1.123.32, 2.17.4, or 2.18.1 immediately

2. Test patches in non-production environments first

3. Plan maintenance windows for production upgrades

4. Verify Python Task Runner functionality post-patch



COMPENSATING CONTROLS (if patching delayed):

1. Implement network segmentation isolating task runner containers

2. Apply principle of least privilege to workflow permissions

3. Disable Python Code Node functionality if not essential

4. Implement container runtime security monitoring

5. Use read-only file systems for task runner containers where possible



DETECTION RULES:

1. Monitor for Python Code Node creation/modification by non-admin users

2. Alert on Python Code Node execution with suspicious imports (os, subprocess, socket)

3. Track container escape attempts (unusual system calls, privilege escalation)

4. Monitor outbound connections from task runner containers

5. Log all workflow modifications with user attribution

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع مثيلات n8n في بيئتك وقثق إصداراتها

2. عطل Python Task Runner إذا لم يكن حرجاً للعمليات

3. قيد صلاحيات إنشاء/تعديل سير العمل للمسؤولين الموثوقين فقط

4. راقب استخدام عقد Python Code في سير العمل الموجود

5. راجع سجلات التدقيق للتعديلات المريبة على سير العمل

إرشادات التصحيح:

1. قم بالترقية إلى الإصدارات المصححة: 1.123.32 أو 2.17.4 أو 2.18.1 فوراً

2. اختبر التصحيحات في بيئات غير الإنتاج أولاً

3. خطط نوافذ الصيانة لترقيات الإنتاج

4. تحقق من وظيفة Python Task Runner بعد التصحيح

الضوابط البديلة (إذا تأخر التصحيح):

1. طبق تقسيم الشبكة لعزل حاويات مشغل المهام

2. طبق مبدأ أقل امتياز لصلاحيات سير العمل

3. عطل وظيفة عقدة Python Code إذا لم تكن ضرورية

4. طبق مراقبة أمان وقت التشغيل للحاويات

5. استخدم أنظمة الملفات للقراءة فقط لحاويات مشغل المهام حيث أمكن

قواعد الكشف:

1. راقب إنشاء/تعديل عقدة Python Code من قبل المستخدمين غير الإداريين

2. نبه على تنفيذ عقدة Python Code مع استيراد مريب (os, subprocess, socket)

3. تتبع محاولات الهروب من الحاويات (استدعاءات نظام غير عادية، تصعيد الامتيازات)

4. راقب الاتصالات الصادرة من حاويات مشغل المهام

5. سجل جميع تعديلات سير العمل مع نسبة المستخدم

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policies (workflow permission management) ECC 2024 A.8.1.1 - User Endpoint Devices (task runner container security) ECC 2024 A.8.2.1 - Privileged Access Rights (Python Code Node execution) ECC 2024 A.12.4.1 - Event Logging (workflow modification audit trails)

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Asset Management (n8n instance inventory) SAMA CSF PR.AC-1 - Access Control (workflow permissions) SAMA CSF PR.AC-4 - Access Rights (least privilege for Python nodes) SAMA CSF DE.CM-1 - Detection Processes (monitoring Python Code Node execution) SAMA CSF RS.MI-2 - Incident Response (containment of compromised task runners)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.3 - Segregation of Duties (workflow approval workflows) ISO 27001:2022 A.8.1.1 - User Registration and Access Rights Management ISO 27001:2022 A.8.2.1 - Privileged Access Rights ISO 27001:2022 A.8.3.1 - Password Management ISO 27001:2022 A.12.4.1 - Event Logging ISO 27001:2022 A.12.4.3 - Protection of Log Information

🟣 PCI DSS v4.0.1

PCI DSS 3.2.1 - Strong Cryptography (if n8n processes payment data) PCI DSS 6.2 - Security Patches (timely patching requirement) PCI DSS 7.1 - Least Privilege Access (workflow permissions) PCI DSS 10.2 - User Access Logging (workflow modifications)

🔗 References & Sources 1

🔗

https://github.com/n8n-io/n8n/security/advisories/GHSA-44v6-jhgm-p3m4

security-advisories@github.com

Vendor Advisory

📦 Affected Products / CPE 3 entries

n8n:n8n

n8n:n8n:2.18.0

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-94

EPSS0.07%

Exploit No

Patch ✗ No

Published 2026-05-04

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-94

🏢 Vendor Advisories

🔗 https://github.com/n8n-io/n8n/security/advisories/GH...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-42234

💬 Comments

Introduce Yourself

Sign In Required