Critical Zero-Click n8n Flaws Allow Full Server Takeover
⚠️ Researchers at Pillar Security disclosed two critical vulnerabilities in both self-hosted and cloud n8n deployments that can yield complete server compromise without any user interaction. The most severe, CVE-2026-27493, is an unauthenticated zero-click flaw in Form nodes that enables expression injection through public form endpoints; CVE-2026-27577 is a sandbox escape in the expression compiler enabling remote code execution. n8n issued patches and automated cloud mitigations; self-hosted users should upgrade to the recommended versions and rotate all stored credentials if a vulnerable workflow was exposed.
