Back to overview

CVE-2026-56777

MEDIUM
5.0
CVSS 3.1
Description
n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security validator bypass in the Python Code node. An authenticated user with permission to create or modify workflows containing a Python Code node can bypass the validator and access the task executor module namespace. The issue only affects self-hosted instances where the Python Task Runner is enabled; where N8N_BLOCK_RUNNER_ENV_ACCESS is configured to allow it, this can disclose environment variables accessible to the task runner process.

Metadata

CVE ID
CVE-2026-56777
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-23 01:22 UTC
Published
2026-06-30 22:08 UTC
Last updated
2026-07-01 13:49 UTC
Primary CWE
CWE-184
Incomplete List of Disallowed Inputs
Vendor / Product
n8n / n8n
Sources
cve.org  ·  NVD

Severity & Metrics

5.0 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (2)
VendorProductPlatformVersions
n8n n8n 0 < 2.26.2, 2.26.2
n8n n8n 0 < 2.25.7, 2.25.7
Weakness (CWE)
CWESourceDescription
CWE-184 cna Incomplete List of Disallowed Inputs
CVSS scores (2)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
5.0 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
References (2)
Back to overview