What is happening with n8n and why it matters

A critical vulnerability has been identified in n8n, one of the most widely used workflow automation platforms among tech teams, developers, and artificial intelligence enthusiasts worldwide. The flaw, cataloged as CVE-2026-25049, received a CVSS score of 9.4 — placing it at the highest severity tier — and allows an authenticated user to execute arbitrary commands directly on the operating system of the server hosting the platform. In practical terms, we are talking about a breach that can give an attacker full control of the machine, compromising not only the automated workflows but also all data and integrations connected to that instance.

What makes this situation even more concerning is that CVE-2026-25049 did not come out of nowhere. It is actually a bypass of the fix that was implemented for a previous vulnerability, CVE-2025-68613, which had already been addressed in December 2025 and carried an even higher CVSS of 9.9. This means the first attempt to resolve the problem was not enough. Security researchers managed to find ways around the added protections, once again exposing servers running n8n to serious risks of remote code execution.

If you use n8n to automate processes, integrate tools, connect APIs, or orchestrate artificial intelligence workflows, this is the kind of alert that deserves immediate attention 🚨. This is not a theoretical or hard-to-exploit flaw — the attack vector only requires the intruder to have valid credentials on the platform, something that can be obtained through phishing, leaked credentials, or even a malicious insider.

Ten researchers, one flaw, and a sandbox that did not hold

One of the most telling aspects of this story is the number of security professionals who independently reached the same conclusion. No fewer than 10 researchers were credited with discovering CVE-2026-25049, including Fatih Celik, who had already been responsible for reporting the original flaw CVE-2025-68613. In addition to him, names like Cris Staicu from Endor Labs, Eilon Cohen from Pillar Security, and Sandeep Kamble from SecureLayer7 contributed to identifying the issue. When that many people find the same breach, it typically signals that the attack surface was broad and relatively accessible for anyone who knew where to look.

In a detailed technical analysis published by Celik, the researcher explained that the two vulnerabilities can essentially be considered the same flaw, since the second is merely a bypass of the initial fix. The expression sandbox mechanism in n8n — which was supposed to isolate code executed within workflows — had gaps that allowed an attacker to escape that controlled environment and reach the underlying operating system.

SecureLayer7 detailed the attack scenario in a very clear way: an attacker creates a workflow with a publicly accessible webhook, with no authentication enabled. All it took was adding a single line of JavaScript using destructuring syntax for the workflow to start executing commands at the system level. Once exposed, anyone on the internet could trigger that webhook and run commands remotely on the server. Just like that — and frighteningly efficient.

How remote code execution works in this vulnerability

To understand the real impact of CVE-2026-25049, it is important to understand what remote code execution, or RCE, actually means. When a platform has this type of flaw, an attacker can send instructions that are interpreted and executed by the server as if they were legitimate operating system commands. In the case of n8n, the vulnerability lies in how the platform evaluates expressions within workflow parameters. An authenticated user with permission to create or modify workflows can manipulate crafted expressions in those parameters to trigger unintended command execution on the host running n8n.

The technical explanation offered by Cris Staicu from Endor Labs reveals a fascinating nuance. The issue stems from a mismatch between the TypeScript type system at compile time and the actual behavior of JavaScript at runtime. While TypeScript enforces that a given property should be a string during compilation, that guarantee is limited to the values present in the code at that moment. TypeScript simply cannot enforce those type checks on values produced by attackers at runtime. When attackers craft malicious expressions at runtime, they can pass values that are not strings — such as objects, arrays, or symbols — that completely bypass the sanitization check.

The problem is especially severe because n8n is frequently deployed with elevated permissions on the server, precisely because it needs to access different services, databases, and external APIs to carry out automations. This means that by exploiting this vulnerability, the attacker inherits those permissions and can read sensitive files, install backdoors, exfiltrate data from connected integrations such as databases, CRM platforms, email services, and even move laterally across the organization’s internal network.

The danger amplified by webhooks

The severity of CVE-2026-25049 increases considerably when combined with the n8n webhook functionality. Both SecureLayer7 and Pillar Security emphasized this point strongly. The scenario works like this:

• The attacker creates a workflow that uses a public webhook with no authentication layer
• Within that workflow, a remote code execution payload is added to a specific node
• When the workflow is activated, the webhook becomes publicly accessible over the internet
• Anyone who accesses the webhook URL triggers the execution of malicious commands on the server

Eilon Cohen from Pillar Security summed up the situation quite directly: the attack requires nothing special — if you can create a workflow, you can own the server. The Pillar report detailed that successful exploitation allows stealing API keys, cloud provider credentials, database passwords, OAuth tokens, and accessing the file system and internal systems. From there, the attacker can pivot to connected cloud accounts and even hijack artificial intelligence workflows.

Considering that many organizations use n8n as the centerpiece of their automations, including orchestrating flows involving large language models (LLMs) and AI agents, compromising the platform can have consequences that go far beyond the server itself. We are talking about a potential domino effect that can impact an entire company’s digital infrastructure.

Affected versions and how to update

The n8n development team has released fixes for CVE-2026-25049 in the following versions:

• Versions prior to 1.123.17 are vulnerable — the fix is in version 1.123.17
• Versions prior to 2.5.2 are vulnerable — the fix is in version 2.5.2

The most urgent step for any person or organization maintaining an n8n instance in production is to update immediately to the latest version of the platform. Delaying this update means accepting an unnecessary risk, especially considering that the technical details of the vulnerability are already circulating in security communities, and it is only a matter of time before automated exploitation tools are developed and spread.

If an immediate update is not feasible, the n8n maintainers recommend the following mitigation measures:

• Restrict workflow creation and editing permissions to fully trusted users only
• Deploy n8n in a hardened environment with restricted operating system privileges and limited network access

It is not just CVE-2026-25049 — 11 other flaws were fixed

As if CVE-2026-25049 were not enough, n8n also disclosed security advisories for 11 other vulnerabilities, five of which are classified as critical. The full list shows that the platform underwent a pretty intense security audit, revealing issues across different components:

• CVE-2026-21893 (CVSS 9.4) — Command injection allowing authenticated users with administrative permissions to execute arbitrary commands on the n8n host under specific conditions. Fixed in version 1.120.3.
• CVE-2026-25051 (CVSS 8.5) — Cross-site scripting (XSS) vulnerability in the handling of webhook responses and related HTTP endpoints, potentially leading to session hijacking and account takeover. Fixed in version 1.123.2.
• CVE-2026-25052 (CVSS 9.4) — Time-of-check Time-of-use (TOCTOU) vulnerability in file access controls, allowing reading of sensitive host files and potential full account takeover. Fixed in versions 2.5.0 and 1.123.18.
• CVE-2026-25053 (CVSS 9.4) — Command injection in the Git node, enabling arbitrary command execution or file reading on the host. Fixed in versions 2.5.0 and 1.123.10.
• CVE-2026-25054 (CVSS 8.5) — Stored XSS in a markdown rendering component, including workflow sticky notes. Fixed in versions 2.2.1 and 1.123.9.
• CVE-2026-25055 (CVSS 7.1) — Path traversal allowing file writes to unintended locations via the SSH node. Fixed in versions 2.4.0 and 1.123.12.
• CVE-2026-25056 (CVSS 9.4) — Arbitrary file writes to the n8n server file system via the SQL Query mode of the Merge node, potentially leading to remote code execution. Fixed in versions 2.4.0 and 1.118.0.
• CVE-2026-25115 (CVSS 9.4) — Python sandbox escape in the Python code node, allowing code execution outside the intended security boundary when Task Runners and Python are enabled. Fixed in version 2.4.8.
• CVE-2026-25631 (CVSS 5.3) — Improper credential domain validation in the HTTP Request node, allowing requests with credentials to be sent to unintended domains. Fixed in version 1.121.0.
• CVE-2025-61917 (CVSS 7.7) — Insecure buffer allocation that can expose sensitive information when Task Runners are enabled. Fixed in version 1.114.3.
• CVE-2025-62726 (CVSS 8.8) — Remote code execution in the Git Node component when a remote repository containing a pre-commit hook is cloned. Fixed in version 1.113.0.

This extensive list reinforces that n8n had a considerable attack surface. The good news is that all of these flaws already have patches available, but the message is clear: keeping the platform updated is not optional.

What to do now to protect your instance

Beyond the update itself, there are best practices that help reduce the attack surface and should be adopted regardless of this specific vulnerability. Limiting access to the n8n interface to internal networks or trusted VPNs only, for example, drastically reduces the possibility of an external attacker exploiting the flaw. Implementing multi-factor authentication for all platform users adds an extra layer of protection that makes it harder to use compromised credentials.

Periodically reviewing registered users and removing accounts that are no longer needed is also a simple measure that makes a difference. For those running n8n in Docker containers, ensuring that the container operates with the minimum possible privileges and with a read-only file system where feasible can limit the impact even in the event of a successful remote execution.

Another critical point is reviewing the platform’s access logs to identify any suspicious activity that might indicate an exploitation attempt prior to applying the patch. Pay special attention to workflows that use public webhooks without authentication, as those are the most direct vectors for exploiting CVE-2026-25049.

Tools we use daily

Translation

Text Inspection & Clipping

Social Media

Search & Research

Recruitment

Programming

Productivity & Organization

Operations

Marketing & Sales

Finance & Investment

Education

Design & Media

Data & Analytics

Content & Writing

Automation

Endor Labs closed their analysis with a technical reflection that applies to any software project: this vulnerability demonstrates why multiple layers of validation are crucial. Even if one layer, like TypeScript types, appears robust, additional runtime checks are necessary when processing untrusted inputs. The takeaway is to pay special attention to sanitization functions during code reviews, looking for assumptions about input types that are not enforced at runtime.

Lessons for those working with automation and AI

This episode also serves as an important reminder about the responsibility of keeping self-hosted platforms updated and monitored. Researcher Amit Genkin from Upwind put the matter into perspective by stating that the flexibility and power of n8n are exactly what make these issues high-impact. When automation engines have permission to directly influence execution and file access, small mistakes quickly turn into full environment compromise.

n8n is a powerful and extremely versatile tool, but precisely because it handles sensitive integrations and has access to multiple services, any security breach in it can have a significant cascading effect. Following the project’s official communication channels, subscribing to security alerts, and participating in the community are ways to stay informed about new threats.

For those building workflows involving language models, autonomous agents, or any type of AI system, this case is a reminder that the security of the orchestration infrastructure is just as important as the security of the models themselves. There is no point in investing in guardrails for your LLMs if the platform that connects and manages them is vulnerable to a complete takeover by an attacker.

CVE-2026-25049 is serious, but with the right measures applied quickly, it is possible to continue taking advantage of everything n8n offers without putting your infrastructure at risk 🔐. Update your instances, review your security configurations, and keep your workflows protected.