Cyber Resilience

CVE-2026-1470

CriticalPublic PoCRCE

Published: 27 January 2026

Published
27 January 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1874 96.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1470 is a critical-severity Eval Injection (CWE-95) vulnerability in N8N N8N. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1470 is a critical Remote Code Execution (RCE) vulnerability in n8n, an open-source workflow automation tool. The issue resides in the workflow Expression evaluation system, where expressions supplied by authenticated users during workflow configuration are evaluated in an execution context that lacks sufficient isolation from the underlying runtime. This flaw, associated with CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-01-27.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity and no user interaction required. Exploitation allows the execution of arbitrary code under the privileges of the n8n process, potentially leading to complete compromise of the affected instance. This includes unauthorized access to sensitive data, modification of workflows, and performance of system-level operations.

The vulnerability is addressed via a patch in the n8n GitHub commit at https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04. Further technical details on the vulnerability and exploitation are provided in JFrog's research advisory at https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An…

more

authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-1470 is a remote code execution vulnerability in the public-facing n8n workflow automation tool, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25055Same product: N8N N8N
CVE-2025-62726Same product: N8N N8N
CVE-2026-21877Same product: N8N N8N
CVE-2026-27493Same product: N8N N8N
CVE-2025-68613Same product: N8N N8N
CVE-2026-42232Same product: N8N N8N
CVE-2026-33665Same product: N8N N8N
CVE-2026-25056Same product: N8N N8N
CVE-2026-0863Same product: N8N N8N
CVE-2026-27577Same product: N8N N8N

Affected Assets

n8n
n8n
2.5.0 · ≤ 1.123.17 · 2.0.0 — 2.4.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through vendor patching directly addresses the RCE vulnerability in the expression evaluation system lacking isolation.

prevent

Information input validation neutralizes directives in user-supplied expressions, preventing arbitrary code execution per CWE-95.

prevent

Process isolation separates the execution context of workflow expressions from the underlying runtime, mitigating insufficient isolation.

References