Improper access control in n8n - #VU137161
Published: July 8, 2026
n8n
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in the legacy expression evaluator computed-member sanitizer when evaluating crafted expressions. A remote user can create or modify a workflow containing a crafted expression to execute arbitrary code.
The legacy expression engine is the default engine in affected versions.