CVE-2026-0863

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

18/01/2026

Last modified:

26/01/2026

Description

Using string formatting and exception handling, an attacker may bypass n8n&#39;s python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system.<br /> <br /> The vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under "Internal" execution mode.<br /> <br /> If the instance is operating under the "External" execution mode (ex. n8n&#39;s official Docker image) - arbitrary code execution occurs inside a Sidecar container and not the main node, which significantly reduces the vulnerability impact.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 8.50 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x

8.50

Severity 3.x

HIGH

CVE-2026-0863

Description

Impact

References to Advisories, Solutions, and Tools