¡¾·ì϶¹«¸æ¡¿n8n Python ¹¤×÷Ö´ÐÐÆ÷ɳÏäÌÓÒݵ¼ÖÂËÁÒâ´úÂëÖ´Ðзì϶(CVE-2026-0863)

°ä²¼¹¦·ò 2026-01-19

Ò»¡¢·ì϶¸ÅÊö


·ìϼûû³Æ

n8n Python ¹¤×÷Ö´ÐÐÆ÷ɳÏäÌÓÒݵ¼ÖÂËÁÒâ´úÂëÖ´Ðзì϶

CVE   ID

CVE-2026-0863

·ì϶ÀàÐÍ

RCE

·¢ÏÖ¹¦·ò

2026-1-19

·ì϶ÆÀ·Ö

8.5

·ì϶µÈ¼¶

¸ßΣ

¹¥»÷ÏòÁ¿

ÍøÂç

ËùÐèȨÏÞ

µÍ

ÀûÓÃÄѶÈ

¸ß

Óû§½»»¥

²»±ØÒª

PoC/EXP

Òѹ«¿ª

ÔÚÒ°ÀûÓÃ

δ·¢ÏÖ


n8nÊÇÒ»¸ö¿ªÔ´µÄ¹¤×÷Á÷×Ô¶¯»¯¹¤¾ß £¬Ö¼ÔÚÔ®ÊÖÓû§Í¨¹ýͼÐλ¯½çÃæÉè¼ÆºÍ×Ô¶¯»¯¸÷À๤×÷¡£ËüÖ§³Ö¶àÖÖ¼¯³É·½Ê½ £¬Äܹ»Óë¶à¶àµÚÈý·½·þÎñºÍÀûÓýøÐÐÏνÓ £¬ÀýÈçÊý¾Ý¿â¡¢API¡¢ÔÆ·þÎñµÈ¡£n8nÌṩ·á˶µÄ½ÚµãºÍ´¥·¢Æ÷ £¬Óû§Äܹ»Í¨¹ýÅäÖù¤×÷Á÷À´ÊµÏÖÊý¾Ý´¦Öᢹ¤×÷µ÷¶È¡¢ÏµÍ³¼¯³ÉµÈÖ°ÄÜ¡£Æä¿ÉÀ©´óÐÔÇ¿ £¬Ö§³Ö×Ô½ç˵½Úµã £¬ºÏÓÃÓÚ¿ª·¢ÕßºÍÆóÒµÓû§ £¬Ô®ÊÖÌá¸ß¹¤×÷ЧÄܺÍ×Ô¶¯»¯Ë®Æ½¡£


2026Äê1ÔÂ19ÈÕ £¬mansion88Ã÷Éý¼¯ÍÅVSRC¼à²âµ½n8nÖÐPython¹¤×÷Ö´ÐÐÆ÷£¨Python Runner£©´æÔÚµÄÒ»´¦É³ÏäÌÓÒÝ·ì϶¡£ÊÜÓ°Ïì°æ±¾ÖÐ £¬¹¥»÷Õß¿ÉÀûÓÃ×Ö·û´®Ìåʽ»¯ÓëÒì³£´¦ÖûúÔì £¬Èƹýn8n¶ÔPython´úÂë¿é£¨Python Native Code£©ËùÖ´ÐеÄɳÏäÏÞ¶È £¬½ø¶øÖ´Ðв»ÊÜÏ޶ȵÄËÁÒâPython´úÂë¡£¸Ã·ì϶¿É±»¾ß±¸»ù´¡È¨ÏÞµÄÒÑÈÏÖ¤Óû§´¥·¢ £¬Í¨¹ýCode½ÚµãÔÚ¡°Internal¡±Ö´ÐÐģʽÏÂÖ±½ÓÔÚËÞÖ÷ϵͳÉÏʵÏÖËÁÒâ´úÂëÖ´ÐÐ £¬×îÖÕ¿ÉÄܵ¼ÖÂn8nÊ·ý±»ÆëÈ«ÊÕÊÜ¡£ÈôÊ·ýÔËÐÐÓÚ¡°External¡±Ö´ÐÐģʽ£¨Èç¹Ù·½Docker²¿Ê𣩠£¬¶ñÒâ´úÂë½öÔÚSidecarÈÝÆ÷ÄÚÖ´ÐÐ £¬·çÏÕÏà¶Ô½µµÍ £¬µ«ÈÔ×é³ÉÑϳÁ°²È«Òþ»¼¡£


¶þ¡¢Ó°ÏìÁìÓò


n8n < 1.123.14
2.0.0 <= n8n < 2.3.5
2.4.0 <= n8n < 2.4.2


Èý¡¢°²È«´ëÊ©


3.1 Éý¼¶°æ±¾


¹Ù·½ÒѰ䲼½¨¸´²¹¶¡ £¬ÒÔ½¨¸´¸Ã·ì϶¡£
n8n >= 1.123.14
n8n >= 2.3.5
n8n >= 2.4.2


ÏÂÔØÁ´½Ó£ºhttps://github.com/n8n-io/n8n/releases/


3.2 һʱ´ëÊ©


ÔÝÎÞ¡£


3.3 ͨÓý¨Òé


? ¶¨ÆÚ¸üÐÂϵͳ²¹¶¡ £¬Ï÷¼õϵͳ·ì϶ £¬ÌáÉý·þÎñÆ÷µÄ°²È«ÐÔ¡£
¼ÓǿϵͳºÍÍøÂçµÄ½Ó¼û½ÚÔì £¬Åú¸Ä·À»ðǽսÊõ £¬¹Ø¹Ø·Ç±ØÒªµÄÀûÓö˿ڻò·þÎñ £¬Ï÷¼õ½«Î£ÏÕ·þÎñ£¨ÈçSSH¡¢RDPµÈ£©Â¶³öµ½¹«Íø £¬Ï÷¼õ¹¥»÷Ãæ¡£
ʹÓÃÆóÒµ¼¶°²È«²úÆ· £¬ÌáÉýÆóÒµµÄÍøÂ簲ȫ»úÄÜ¡£
¼ÓǿϵͳÓû§ºÍȨÏÞÖÎÀí £¬ÆôÓöà³É·ÖÈÏÖ¤»úÔìºÍ×îÓ×ȨÏÞ×¼Ôò £¬Óû§ºÍÈí¼þȨÏÞӦά³ÖÔÚ×îµÍÏÞ¶È¡£
ÆôÓÃÇ¿ÃÜÂëÕ½Êõ²¢ÉèÖÃΪ¶¨ÆÚÅú¸Ä¡£


3.4 ²Î¿¼Á´½Ó


https://research.jfrog.com/vulnerabilities/n8n-python-runner-sandbox-escape-jfsa-2026-001651077/