CVE-2026-27498
Published: 25 February 2026
Summary
CVE-2026-27498 is a high-severity Code Injection (CWE-94) vulnerability in N8N N8N. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the RCE vulnerability by requiring timely upgrades to fixed n8n versions 2.2.0 or 1.123.8.
Enforces least privilege by restricting workflow creation and modification permissions to fully trusted users, blocking untrusted authenticated attackers.
Implements least functionality by disabling the Read/Write Files from Disk node via NODES_EXCLUDE environment variable, preventing the exploitable chaining with git operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
This RCE vulnerability in the public-facing n8n web platform allows authenticated attackers to execute arbitrary shell commands by chaining workflow nodes (Read/Write Files from Disk with git operations), directly facilitating T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell).
NVD Description
n8n is an open source workflow automation platform. Prior to versions 2.2.0 and 1.123.8, an authenticated user with permission to create or modify workflows could chain the Read/Write Files from Disk node with git operations to achieve remote code execution.…
more
By writing to specific configuration files and then triggering a git operation, the attacker could execute arbitrary shell commands on the n8n host. The issue has been fixed in n8n versions 2.2.0 and 1.123.8. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Read/Write Files from Disk node by adding `n8n-nodes-base.readWriteFile` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Deeper analysisAI
CVE-2026-27498 is a remote code execution vulnerability (CWE-94) affecting n8n, an open source workflow automation platform, in versions prior to 2.2.0 and 1.123.8. The flaw arises from the ability of authenticated users with permission to create or modify workflows to chain the Read/Write Files from Disk node with git operations. By writing to specific configuration files and triggering a git operation, attackers can execute arbitrary shell commands on the n8n host. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-25.
An authenticated attacker with workflow creation or modification permissions can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants full remote code execution on the underlying n8n host, potentially allowing complete compromise including data exfiltration, persistence, or lateral movement.
The issue is fixed in n8n versions 2.2.0 and 1.123.8; users should upgrade to these or later versions for remediation. As temporary mitigations, administrators can limit workflow creation and editing permissions to fully trusted users only and/or disable the Read/Write Files from Disk node by setting the `n8n-nodes-base.readWriteFile` value in the `NODES_EXCLUDE` environment variable. These workarounds do not fully eliminate the risk and are intended for short-term use only. Relevant details are available in the n8n security advisory (GHSA-x2mw-7j39-93xq) and associated GitHub commits and release notes.
Details
- CWE(s)