n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]", disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.
The Code Node in n8n allows running Python code in a Pyodide environment, which is intended to act as an isolated sandbox. The vulnerability consists of the ability to bypass this isolation (CWE-693: Protection Mechanism Failure), allowing an attacker to escape the sandbox boundaries. An authenticated user with permissions to create or modify workflows can craft malicious Python code that executes with the privileges of the n8n process directly on the host operating system.
An attacker can execute arbitrary system commands on the server hosting n8n with the privileges of the n8n process, which may lead to complete host takeover, data theft, malware installation, or lateral movement in the network.
n8n should be updated to version 2.0.0 or newer. As a workaround (for version 1.x): (1) disable the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]"; (2) disable Python support in Code Node by setting N8N_PYTHON_ENABLED=false (available from version 1.104.0); (3) configure n8n to use a Python sandbox based on task runner through environment variables N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER.
n8n in versions from 1.0.0 to < 2.0.0 (open source workflow automation platform) with the Code Node enabled supporting Python (Pyodide)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:LN8n
APPN8N1.0.0 – 2.0.0 (bez)
Related vulnerabilities
RCE w systemie ewaluacji wyrażeń n8n — krytyczna podatność
RCE w n8n poprzez ominięcie łatki CVE-2026-42232 w węźle XML
n8n: prototype pollution w HTTP Request node prowadzący do RCE
Wstrzyknięcie flag CLI w węźle Git platformy n8n — odczyt dowolnych plików
Prototype Pollution w n8n prowadzące do RCE przez webhook handler