CVE-2026-56777

MEDIUM

CVSS v3.1: 5.0

NetworkNo user interactionVendor advisory ref

Source data as of:

At a glance

Severity
MEDIUM
CVSS
5.0 v3.1 · NVD
EPSS
EPSS not provided by FIRST.org for this CVE
CISA KEV
No
Attack conditions (CVSS vector)
NetworkNo user interaction · Source: NVD Vector
Published
2026-06-30 · Modified: 2026-06-30

CVSS / EPSS / KEV

CVSS v3.1 5.0 / 10 MEDIUM Source: NVD
CVSS v4.0 5.3 / 10 MEDIUM Source: NVD
EPSS EPSS not provided by FIRST.org for this CVE Source: FIRST.org
CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security validator bypass in the Python Code node. An authenticated user with permission to create or modify workflows containing a Python Code node can bypass the validator and access the task executor module namespace. The issue only affects self-hosted instances where the Python Task Runner is enabled; where N8N_BLOCK_RUNNER_ENV_ACCESS is configured to allow it, this can disclose environment variables accessible to the task runner process.

Record details

CVE ID
CVE-2026-56777
CVSS (v3.1)
5.0 (MEDIUM)
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Exploitability subscore
3.1
Impact subscore
1.4
CISA KEV
No
Weakness (CWE)
CWE-184
Affected configurations (CPE)
0
Published
2026-06-30
Modified
2026-06-30
Status
Received

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.