Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Multiple Critical Vulnerabilities in n8n, Patch Immediately!
Image
Published : 27/02/2026
- Last update: 27/02/2026
- Affected software:
→ n8n < versions 2.10.1, 2.9.3 and 1.123.22- Type:
→ CWE-94 Improper Control of Generation of Code ('Code Injection')
→ CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')- CVE/CVSS
→ CVE-2026-27495: CVSS 9.4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
→ CVE-2026-27577: CVSS 9.4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
→ CVE-2026-27497: CVSS 9.4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
Sources
https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869
https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr
https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23
Risks
A publicly hosted instance vulnerable to one of the following vulnerabilities can get fully compromised and used by attackers to perform unauthorized actions. Attackers will target these systems because they are used to control other interconnected systems. N8n is mostly used to automate system workflows together with native AI capabilities, which makes it essential to secure since it centralizes a lot of tasks. These vulnerabilities have a high impact on the confidentiality, integrity and availability of the system.
Description
CVE-2026-27495 is a vulnerability where an authenticated user with permission to create or modify workflows could exploit a vulnerability in the JavaScript Task Runner sandbox to execute arbitrary code outside of the sandbox boundary. Instances using the internal Task Runner, which is the default runner mode can get fully compromised. Attackers might gain access to or impact other tasks executed on instances where the external Task Runners is used.
CVE-2026-27577 is a vulnerability where an authenticated user with the permission to create or modify workflows could abuse crafted expressions in the workflow parameters to trigger unintended system command execution on the host.
CVE-2026-27497 is a vulnerability where an authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the host.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
https://nvd.nist.gov/vuln/detail/CVE-2026-27495
https://nvd.nist.gov/vuln/detail/CVE-2026-27577
https://nvd.nist.gov/vuln/detail/CVE-2026-27497