top of page
perceptive_background_267k.jpg

Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python cod…

Published:

17 januari 2026 om 23:00:00

Alert date:

18 januari 2026 om 17:01:38

Source:

nvd.nist.gov

Click to open the original link from this advisory

Enterprise Applications, Web Technologies

CVE-2026-0863 is a critical vulnerability in n8n's python-task-executor that allows authenticated users to bypass sandbox restrictions using string formatting and exception handling techniques. The vulnerability enables arbitrary Python code execution on the underlying operating system through the Code block feature. In Internal execution mode, this leads to complete n8n instance takeover. External execution mode (like Docker) limits impact to sidecar containers. The vulnerability affects the python task execution sandbox and can be exploited by users with basic permissions.

Technical details

Mitigation steps:

Affected products:

n8n

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-0863
https://github.com/n8n-io/n8n/commit/b73a4283cb14e0f27ce19692326f362c7bf3da02
https://research.jfrog.com/vulnerabilities/n8n-python-runner-sandbox-escape-jfsa-2026-001651077/

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page