Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

Published:

5 februari 2026 om 06:16:00

Alert date:

5 februari 2026 om 07:00:41

Source:

thehackernews.com

Enterprise Applications, Zero-Day Vulnerabilities

A critical security vulnerability CVE-2026-25049 with CVSS score 9.4 has been discovered in the n8n workflow automation platform. The flaw allows execution of arbitrary system commands through malicious workflows. This vulnerability bypasses safeguards that were implemented to address a previous critical issue CVE-2025-68613 (CVSS 9.9). The vulnerability stems from inadequate sanitization of user inputs in the workflow processing system.

Technical details

The vulnerability arises from inadequate sanitization that bypasses safeguards put in place for CVE-2025-68613. It exploits gaps in n8n's expression evaluation where crafted expressions in workflow parameters can trigger system command execution. The issue stems from a mismatch between TypeScript's compile-time type system and JavaScript's runtime behavior, allowing attackers to pass non-string values (objects, arrays, symbols) that bypass sanitization checks. Attackers can create workflows with publicly accessible webhooks and add JavaScript using destructuring syntax to execute system-level commands remotely.

Mitigation steps:

Update to n8n version 1.123.17 or later for 1.x branch
Update to n8n version 2.5.2 or later for 2.x branch
Restrict workflow creation and editing permissions to fully trusted users only
Deploy n8n in a hardened environment with restricted operating system privileges and network access
Implement multiple layers of validation with runtime checks when processing untrusted input
Review sanitization functions during code review for assumptions about input types

Affected products:

n8n workflow automation platform versions <1.123.17
n8n workflow automation platform versions <2.5.2