# No login required, no clicks needed: n8n vulnerability allows hackers to take over the server in an instant

## Overview

The Pillar research team discovered an extremely critical vulnerability in n8n that allows:

*   Remote Code Execution (RCE)
    
*   No login required (unauthenticated)
    
*   No user interaction needed (zero-click)
    

Just accessing a public form can initiate an attack.  
If you use:

*   n8n Cloud → is safe
    
*   Self-host → needs immediate update with the patch
    

## Vulnerability CVE-2026-27493

**1\. Exploitation conditions**

*   A multi-step form
    
*   A step that re-displays user data (e.g., `Thank you, {{Name}}`)
    
*   The form is public on the internet
    

\=> This is a very common configuration (contact forms, sign-up forms…)

**2\. How the attack works (simplified)**

The system processes the form twice (double evaluation):

*   Step 1: The server takes user input (e.g., Name) and inserts it into HTML
    

```plaintext
Thank you, {{Name}}
```

*   Step 2: The server scans the HTML again to find {{ }} and executes it like code. If an attacker enters:
    

```plaintext
{{ malicious_code }}
```

\=> It will be executed in step 2, leading to RCE.

**3\. Real-world attack scenario**

1.  Attacker opens the public form /form/contact-us
    
2.  Enters payload into the Name field
    
3.  Submits form
    
4.  Server:
    

*   Injects payload into HTML
    
*   Execute payload
    

Result:

```plaintext
uid=1000(node) gid=1000(node)
```

➡️ The server has been compromised.

## Vulnerability CVE-2026-27577

This is a sandbox escape in the expression processing engine.

**1\. Cause**

*   AST filter missed SpreadElement
    
*   Allows access to dangerous variables like process
    

**2\. Sample Payload:**

```javascript
={{ ((g) => g.getBuiltinModule('child_process').execSync('id').toString())({...process}) }}
```

Result:

*   Access Node.js runtime
    
*   Run system command
    

![](https://cdn.hashnode.com/uploads/covers/676511773cdd3c06f7b226ee/6aa8ef22-a6fd-43a5-94f1-9c4de958c31b.png align="center")

**3\. The core danger point**

n8n stores all credentials:

*   AWS keys
    
*   Database passwords
    
*   OAuth tokens
    
*   API keys
    

👉 Just need RCE → gain access to the entire system

Form public = perfect entry point

*   No login required
    
*   No permissions needed
    
*   No interaction with other users necessary
    

Affected to cloud multi-tenant

*   It can affect other tenants
    
*   Risk of spreading throughout the entire system
    

## In-depth analysis (security perspective)

**1\. Nature of the vulnerability: Expression Injection**

This is similar:

*   SQL Injection
    
*   SSTI (Server-Side Template Injection)
    

However, it's more dangerous because:

*   Go straight to RCE
    
*   No need to bypass many steps
    

**2\. Double Evaluation = design flaw**

The mistake lies in:

```plaintext
User input → render → Re-parse as code
```

👉 This is an extremely dangerous anti-pattern in secure coding.

**3\. Sandbox is not an absolute layer of protection**

The sandbox is bypassed at the compile stage, not at runtime.

\=> If dangerous data gets through the compile stage, runtime can't save it.

**4\. Why doesn't TypeScript detect it?**

*   AST missing case SpreadElement
    
*   Type system thinks it's fully covered
    

**5\. Complete exploit chain**

Public Form -> Expression Injection (CVE-2026-27493) -> Sandbox Escape (CVE-2026-27577) -> RCE -> Dump credentials -> Lateral movement / Cloud compromise

**6\. Severity level**

| Criteria | Evaluate |
| --- | --- |
| Attack vector | Internet |
| Auth | No need |
| User interaction | No |
| Impact | All systems |
| CVSS | ~9.5 (Critical) |

## Conclusion

This is one of the most dangerous vulnerabilities because:

*   No auth needed No click needed
    
*   Exploitation is extremely easy (just need a browser)
    
*   Affects the entire downstream system
    
*   If n8n is deployed and not patched, consider it compromised
    

## Recommendation

FPT Threat Intelligence provides the following recommendations for N8N users:

*   Update immediately
    
*   Check all forms: Do they display input again?
    
*   If exploitation is suspected: Rotate all credentials
    
*   Check variable: N8N\_ENCRYPTION\_KEY
    
*   Apply patches immediately
    

## References

*   [Zero Click Unauthenticated RCE in n8n: A Contact Form That Executes Shell Commands](https://www.pillar.security/blog/zero-click-unauthenticated-rce-in-n8n-a-contact-form-that-executes-shell-commands)
    
*   [Critical N8n Vulnerabilities Allowed Server Takeover - SecurityWeek](https://www.securityweek.com/critical-n8n-vulnerabilities-allowed-server-takeover/)
