📄 الوصف (الإنجليزية)
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
🤖 ملخص AI
n8n workflow automation platform versions prior to 1.123.32, 2.17.4, and 2.18.1 contain a critical sandbox escape vulnerability in Python Code Nodes that allows authenticated users to execute arbitrary code on task runner containers. This vulnerability requires Python Task Runner to be enabled and affects enterprise deployments. The high CVSS score of 8.8 indicates significant risk to organizations using n8n for critical automation workflows.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: May 8, 2026 16:33
🇸🇦 التأثير على المملكة العربية السعودية
Saudi organizations using n8n for critical automation workflows face significant risk, particularly in: Banking sector (SAMA-regulated institutions using n8n for transaction processing and reporting automation), Government agencies (NCA oversight entities using workflow automation for compliance and administrative processes), Healthcare sector (MOH facilities using n8n for patient data workflows), Energy sector (ARAMCO and related entities using automation for operational workflows), and Telecommunications (STC and other operators using n8n for service automation). The vulnerability allows authenticated insiders or compromised accounts to execute arbitrary code, potentially leading to data exfiltration, system compromise, and operational disruption.
🏢 القطاعات السعودية المتأثرة
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
Manufacturing
Retail and E-commerce
🎯 تقنيات MITRE ATT&CK
T1190 - Exploit Public-Facing Application (n8n workflow interface)
T1210 - Exploitation of Remote Services (Python Task Runner)
T1059 - Command and Scripting Interpreter (Python Code Node execution)
T1548 - Abuse Elevation Control Mechanism (sandbox escape)
T1611 - Escape to Host (container escape to task runner)
T1021 - Remote Services (lateral movement from task runner)
T1041 - Exfiltration Over C2 Channel (data exfiltration post-compromise)
⚖️ درجة المخاطر السعودية (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all n8n instances in your environment and document their versions
2. Disable Python Task Runner if not critical to operations
3. Restrict workflow creation/modification permissions to trusted administrators only
4. Monitor Python Code Node usage in existing workflows
5. Review audit logs for suspicious workflow modifications
PATCHING GUIDANCE:
1. Upgrade to patched versions: 1.123.32, 2.17.4, or 2.18.1 immediately
2. Test patches in non-production environments first
3. Plan maintenance windows for production upgrades
4. Verify Python Task Runner functionality post-patch
COMPENSATING CONTROLS (if patching delayed):
1. Implement network segmentation isolating task runner containers
2. Apply principle of least privilege to workflow permissions
3. Disable Python Code Node functionality if not essential
4. Implement container runtime security monitoring
5. Use read-only file systems for task runner containers where possible
DETECTION RULES:
1. Monitor for Python Code Node creation/modification by non-admin users
2. Alert on Python Code Node execution with suspicious imports (os, subprocess, socket)
3. Track container escape attempts (unusual system calls, privilege escalation)
4. Monitor outbound connections from task runner containers
5. Log all workflow modifications with user attribution
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات n8n في بيئتك وقثق إصداراتها
2. عطل Python Task Runner إذا لم يكن حرجاً للعمليات
3. قيد صلاحيات إنشاء/تعديل سير العمل للمسؤولين الموثوقين فقط
4. راقب استخدام عقد Python Code في سير العمل الموجود
5. راجع سجلات التدقيق للتعديلات المريبة على سير العمل
إرشادات التصحيح:
1. قم بالترقية إلى الإصدارات المصححة: 1.123.32 أو 2.17.4 أو 2.18.1 فوراً
2. اختبر التصحيحات في بيئات غير الإنتاج أولاً
3. خطط نوافذ الصيانة لترقيات الإنتاج
4. تحقق من وظيفة Python Task Runner بعد التصحيح
الضوابط البديلة (إذا تأخر التصحيح):
1. طبق تقسيم الشبكة لعزل حاويات مشغل المهام
2. طبق مبدأ أقل امتياز لصلاحيات سير العمل
3. عطل وظيفة عقدة Python Code إذا لم تكن ضرورية
4. طبق مراقبة أمان وقت التشغيل للحاويات
5. استخدم أنظمة الملفات للقراءة فقط لحاويات مشغل المهام حيث أمكن
قواعد الكشف:
1. راقب إنشاء/تعديل عقدة Python Code من قبل المستخدمين غير الإداريين
2. نبه على تنفيذ عقدة Python Code مع استيراد مريب (os, subprocess, socket)
3. تتبع محاولات الهروب من الحاويات (استدعاءات نظام غير عادية، تصعيد الامتيازات)
4. راقب الاتصالات الصادرة من حاويات مشغل المهام
5. سجل جميع تعديلات سير العمل مع نسبة المستخدم
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies (workflow permission management)
ECC 2024 A.8.1.1 - User Endpoint Devices (task runner container security)
ECC 2024 A.8.2.1 - Privileged Access Rights (Python Code Node execution)
ECC 2024 A.12.4.1 - Event Logging (workflow modification audit trails)
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset Management (n8n instance inventory)
SAMA CSF PR.AC-1 - Access Control (workflow permissions)
SAMA CSF PR.AC-4 - Access Rights (least privilege for Python nodes)
SAMA CSF DE.CM-1 - Detection Processes (monitoring Python Code Node execution)
SAMA CSF RS.MI-2 - Incident Response (containment of compromised task runners)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of Duties (workflow approval workflows)
ISO 27001:2022 A.8.1.1 - User Registration and Access Rights Management
ISO 27001:2022 A.8.2.1 - Privileged Access Rights
ISO 27001:2022 A.8.3.1 - Password Management
ISO 27001:2022 A.12.4.1 - Event Logging
ISO 27001:2022 A.12.4.3 - Protection of Log Information
🟣 PCI DSS v4.0.1
PCI DSS 3.2.1 - Strong Cryptography (if n8n processes payment data)
PCI DSS 6.2 - Security Patches (timely patching requirement)
PCI DSS 7.1 - Least Privilege Access (workflow permissions)
PCI DSS 10.2 - User Access Logging (workflow modifications)
📦 المنتجات المتأثرة 3 منتج
n8n:n8n
n8n:n8n
n8n:n8n:2.18.0