CVE-2026-42234
HIGH WAF: Medium
CVSS 8.8
Published: 2026-05-04
CWE-94
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.
WAF Coverage Analysis
Code Injection
Medium WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution 933xxx - PHP Injection 934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| n8n | n8n | up to 1.123.32 |
| n8n | n8n | 2.17.0 - 2.17.4 |
| n8n | n8n | 2.18.0 |
References
- github.com (Vendor Advisory)