Incomplete List of Disallowed Inputs Affecting n8n package, versions <2.25.7>=2.26.0 <2.26.2


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.25% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-N8N-17889838
  • published8 Jul 2026
  • disclosed30 Jun 2026
  • creditHussein Aldulaimi

Introduced: 30 Jun 2026

NewCVE-2026-56777  (opens in a new tab)
CWE-184  (opens in a new tab)

How to fix?

Upgrade n8n to version 2.25.7, 2.26.2 or higher.

Overview

n8n is a n8n Workflow Automation Tool

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs for the Python Code node when the Python Task Runner is enabled. A user with permission to create or modify workflows can evade the validator and reach the task executor module namespace by authoring Python in that node, and on instances configured with N8N_BLOCK_RUNNER_ENV_ACCESS=false can read environment variables available to the task runner process. Exploitation is limited to self-hosted instances with the Python Task Runner enabled, and the environment variable disclosure applies only when N8N_BLOCK_RUNNER_ENV_ACCESS=false.

Workaround

This vulnerability can be avoided by disabling the Python Code node through the NODES_EXCLUDE environment variable, or by disabling the Python Task Runner entirely.

CVSS Base Scores

version 4.0
version 3.1