n8n sandbox escape: are your workflow controls built for RCE?

TL;DR: Two critical n8n sandbox escapes let any authenticated workflow editor execute commands, read environment variables, decrypt stored credentials, and potentially reach cloud accounts and shared services, including on n8n Cloud, according to Pillar Security researchers. The incident shows that workflow automation platforms executing user code need execution isolation, not just sanitization, because the control plane can become the blast radius.

NHIMG editorial — based on content published by Pillar Security: n8n sandbox escape and complete server takeover through critical vulnerabilities

By the numbers:

• CVSS 3.1 Score: 10.0 Critical, CVE-2026-25049

Questions worth separating out

Q: What breaks when a workflow platform can evaluate user code on the server?

A: The control boundary breaks because the platform is no longer only moving data between systems.

Q: Why do workflow automation platforms create NHI risk when they store secrets?

A: They create NHI risk because the same runtime that executes workflows often also decrypts or handles API keys, OAuth tokens, and cloud credentials.

Q: How do security teams know whether sandbox controls are actually working?

A: They know by testing for alternate expressions of the same action, not by checking whether one blocked syntax case still fails.

Practitioner guidance

• Map every server-side expression path Inventory where workflow, transformation, or rule engines execute user-controlled logic on the server.
• Separate secret custody from workflow execution Store API keys, OAuth tokens, and cloud credentials outside the runtime that evaluates workflows.
• Test for equivalent-expression bypasses Review sanitisation controls for alternate syntax forms, API calls, and object-manipulation methods that produce the same effect as blocked operations.

What's in the full article

Pillar Security's full research covers the operational detail this post intentionally leaves for the source:

• The exact AST inspection gaps that let template literals and call arguments bypass the sandbox.
• The full five-layer sandbox architecture and where each control failed.
• The patch timeline across the December 21 and December 24 bypasses, including the root-cause fix.
• The post-exploitation paths for self-hosted and cloud deployments, including credential decryption and internal service exposure.

👉 Read Pillar Security's full research on the n8n sandbox escape and credential takeover →

n8n sandbox escape: are your workflow controls built for RCE?

Explore further

View Full Forum →  |  NHI Foundation Course →