Arbitrary Code Execution Affecting n8n package, versions <1.123.48>=2.0.0-rc.0 <2.21.8>=2.22.0 <2.22.4


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Social Trends
EPSS
0.36% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-N8N-17890661
  • published8 Jul 2026
  • disclosed16 Jun 2026
  • creditVipin Chaudhary

Introduced: 16 Jun 2026

NewCVE-2026-49444  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade n8n to version 1.123.48, 2.21.8, 2.22.4 or higher.

Overview

n8n is a n8n Workflow Automation Tool

Affected versions of this package are vulnerable to Arbitrary Code Execution in the Python Code node, exploitable when the Python Task Runner is enabled. A user with permission to create or modify workflows can execute arbitrary code on the task runner container by escaping the sandbox from within a Python Code node. Exploitation requires an authenticated user with workflow edit permission and a self-hosted instance running the Python Task Runner.

CVSS Base Scores

version 4.0
version 3.1