CVE-2026-56777

n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security validator bypass in the Python Code node. An authenticated user with permission to create or modify workflows containing a Python Code node can bypass the validator and access the task executor module namespace. The issue only affects self-hosted instances where the Python Task Runner is enabled; where N8N_BLOCK_RUNNER_ENV_ACCESS is configured to allow it, this can disclose environment variables accessible to the task runner process.
Configurations

No configuration.

History

30 Jun 2026, 23:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-30 23:17

Updated : 2026-06-30 23:17


NVD link : CVE-2026-56777

Mitre link : CVE-2026-56777

CVE.ORG link : CVE-2026-56777


JSON object : View

Products Affected

No product.

CWE
CWE-184

Incomplete List of Disallowed Inputs