CVE-2026-1470 — AI Deep Analysis Summary

🚨 **Essence**: n8n workflow expression isolation is weak. 📉 **Consequences**: Remote Code Execution (RCE). Attackers can hijack the system completely.

🛡️ **Root Cause**: CWE-95 (Improper Neutralization of Special Elements). The expression evaluation sandbox is bypassed. 🐛 **Flaw**: Inadequate isolation between user input and code execution.

👥 **Affected**: All versions of **n8n** (the open-source workflow automation tool) prior to the fix. 📦 **Component**: The expression node/evaluation engine.

💀 **Capabilities**: Hackers gain **Full System Control**. 📂 **Data**: They can read/write any data the n8n service can access. 🔓 **Privileges**: Equivalent to the n8n process user (often root/admin).

⚠️ **Threshold**: **Low**. CVSS: AV:N (Network), AC:L (Low Complexity), UI:N (No User Interaction). 🔑 **Auth**: Requires **Low Privileges** (PR:L) to trigger. Not zero-click, but easy to exploit if you have access.

🔍 **Public Exp**: No specific PoC code in the CVE data. 📢 **Advisory**: JFASC Research published a detailed advisory. 🌐 **Status**: High risk of wild exploitation due to low complexity.

🔎 **Self-Check**: Scan for n8n instances. 🧪 **Test**: Try injecting malicious expressions in workflow nodes. 📋 **Verify**: Check if the expression engine executes arbitrary JS/commands.

✅ **Fixed**: Yes. 🛠️ **Patch**: Commit `aa4d1e5825829182afa0ad5b81f602638f55fa04` on GitHub. 🔄 **Action**: Update n8n to the patched version immediately.

🚧 **Workaround**: If unpatched, **disable** the expression node or restrict workflow editing to trusted admins only. 🚫 **Isolate**: Run n8n in a restricted container with minimal permissions.

🔥 **Urgency**: **CRITICAL**. CVSS Score is High (H/H/H). 🚀 **Priority**: Patch immediately. RCE via low-priv access is a top-tier threat for automation tools.