A brand new, important security vulnerability has been disclosed within the n8n workflow automation platform that, if efficiently exploited, might outcome within the execution of arbitrary system instructions.
The flaw, tracked as CVE-2026-25049 (CVSS rating: 9.4), is the results of insufficient sanitization that bypasses safeguards put in place to deal with CVE-2025-68613 (CVSS rating: 9.9), one other important defect that was patched by n8n in December 2025.
“Extra exploits within the expression analysis of n8n have been recognized and patched following CVE-2025-68613,” n8n’s maintainers stated in an advisory launched Wednesday.
“An authenticated consumer with permission to create or modify workflows might abuse crafted expressions in workflow parameters to set off unintended system command execution on the host working n8n.”
The difficulty impacts the next variations –
- <1.123.17 (Fastened in 1.123.17)
- <2.5.2 (Fastened in 2.5.2)
As many as 10 security researchers, together with Fatih Çelik, who reported the unique bug CVE-2025-68613, in addition to Endor Labs’ Cris Staicu, Pillar Safety’s Eilon Cohen, and SecureLayer7’s Sandeep Kamble, have been acknowledged for locating the shortcoming.
“An attacker creates a workflow with a publicly accessible webhook that has no authentication enabled,” SecureLayer7 stated. “By including a single line of JavaScript utilizing destructuring syntax, the workflow could be abused to execute system-level instructions. As soon as uncovered, anybody on the web can set off the webhook and run instructions remotely.”
Profitable exploitation of the vulnerability might permit an attacker to compromise the server, steal credentials, and exfiltrate delicate information, to not point out open up alternatives for menace actors to put in persistent backdoors to facilitate long-term entry.
The cybersecurity firm additionally famous that the severity of the flaw considerably will increase when it is paired with n8n’s webhook characteristic, allowing an adversary to create a workflow utilizing a public webhook and add a distant code execution payload to a node within the workflow, inflicting the webhook to be publicly accessible as soon as the workflow is activated.
Pillar’s report has described the difficulty as allowing an attacker to steal API keys, cloud supplier keys, database passwords, OAuth tokens, and entry the filesystem and inner techniques, pivot to related cloud accounts, and hijack synthetic intelligence (AI) workflows.
“The assault requires nothing particular. When you can create a workflow, you possibly can personal the server,” Cohen stated.
Endor Labs, which additionally shared particulars of the vulnerability, stated the issue arises from gaps in n8n’s sanitization mechanisms that permit for bypassing security controls.
“The vulnerability arises from a mismatch between TypeScript’s compile-time kind system and JavaScript’s runtime habits,” Staicu defined. “Whereas TypeScript enforces {that a} property needs to be a string at compile time, this enforcement is proscribed to values which can be current within the code throughout compilation.”
“TypeScript can’t implement these kind checks on runtime attacker-produced values. When attackers craft malicious expressions at runtime, they’ll go non-string values (equivalent to objects, arrays, or symbols) that bypass the sanitization examine totally.”
If fast patching shouldn’t be an possibility, customers are suggested to comply with the workarounds under to reduce the impression of potential exploitation –
- Limit workflow creation and enhancing permissions to completely trusted customers solely
- Deploy n8n in a hardened setting with restricted working system privileges and community entry
“This vulnerability demonstrates why a number of layers of validation are essential. Even when one layer (TypeScript varieties) seems robust, extra runtime checks are obligatory when processing untrusted enter,” Endor Labs stated. “Pay particular consideration to sanitization capabilities throughout code evaluate, in search of assumptions about enter varieties that are not enforced at runtime.”
