A severe security vulnerability has been disclosed in the n8n workflow automation platform that could allow attackers to execute arbitrary system commands on affected servers. The flaw, tracked as CVE-2026-25049 (CVSS score: 9.4), bypasses prior safeguards introduced to fix CVE-2025-68613, which was patched in December 2025.
According to n8n maintainers, an authenticated user with workflow creation or modification privileges can exploit crafted expressions in workflow parameters to trigger system command execution on the host machine.
Affected Versions
- Versions <1.123.17 (patched in 1.123.17)
- Versions <2.5.2 (patched in 2.5.2)
The vulnerability was reported and investigated by multiple security researchers, including Fatih Çelik, Cris Staicu (Endor Labs), Eilon Cohen (Pillar Security), and Sandeep Kamble (SecureLayer7). Çelik noted that CVE-2026-25049 is essentially a bypass of the previous CVE-2025-68613 patch, allowing attackers to escape the n8n expression sandbox.
How the Exploit Works
SecureLayer7 explained that attackers can create a publicly accessible webhook without authentication. By adding a single line of JavaScript using destructuring syntax, a workflow can be abused to execute system-level commands. Once deployed, anyone on the internet can trigger the webhook to run commands remotely.
Successful exploitation can enable attackers to:
- Compromise the server and steal credentials
- Exfiltrate sensitive data
- Install persistent backdoors
- Hijack connected AI workflows
Pillar Security highlighted that attackers could gain access to API keys, cloud credentials, database passwords, OAuth tokens, internal systems, and even pivot to connected cloud accounts.
Endor Labs explained the root cause: mismatches between TypeScript compile-time type checks and JavaScript runtime behavior. While TypeScript enforces string types during compilation, malicious runtime inputs—such as objects, arrays, or symbols—can bypass sanitization, allowing attackers to execute arbitrary commands.
Recommended Mitigations
If immediate patching is not possible, n8n users are advised to:
- Restrict workflow creation and editing to fully trusted users
- Deploy n8n in hardened environments with restricted OS privileges and network access
Endor Labs emphasized that multi-layered input validation is critical, as even strong compile-time checks can fail against runtime malicious inputs.
Related Vulnerabilities
n8n also released patches for four other security flaws, including two critical issues:
- CVE-2026-25053 (CVSS 9.4) – OS command injection in the Git node (patched in 2.5.0 / 1.123.10)
- CVE-2026-25054 (CVSS 8.5) – Stored XSS in markdown rendering (patched in 2.2.1 / 1.123.9)
- CVE-2026-25055 (CVSS 7.1) – Path traversal via SSH node uploads (patched in 2.4.0 / 1.123.12)
- CVE-2026-25056 (CVSS 9.4) – Arbitrary file write in Merge node SQL Query mode (patched in 2.4.0 / 1.118.0)
Due to the severity and potential impact of these vulnerabilities, users are strongly advised to update to the latest n8n versions immediately.
(The story was updated after publication to include additional insights published by security researcher Fatih Çelik.)
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
