A critical security vulnerability has been discovered in the n8n workflow automation platform, potentially allowing attackers to execute arbitrary system commands on affected servers. The flaw, identified as CVE-2026-25049, carries a high CVSS score of 9.4, highlighting its significant risk to users of the popular automation tool.
n8n, a widely adopted open-source workflow automation tool, has addressed this critical n8n vulnerability, which emerged as a bypass for a previously patched defect. The company urges users to update their installations promptly to mitigate the risk of exploitation, which could lead to severe system compromise.
New n8n Vulnerability Allows Arbitrary Command Execution
The newly disclosed vulnerability, CVE-2026-25049, stems from insufficient sanitization within the platform’s expression evaluation. This oversight allows authenticated users with workflow creation or modification privileges to craft malicious expressions within workflow parameters. These expressions can then bypass intended security safeguards, leading to the unintended execution of system commands on the host running n8n.
This critical flaw emerged shortly after n8n patched CVE-2025-68613 in December 2025, another severe defect with a CVSS score of 9.9 that also involved vulnerabilities in expression evaluation. According to n8n’s advisory, “Additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613.”
The issue affects n8n versions prior to 1.123.17 and 2.5.2. The patches for these versions, 1.123.17 for the first affected branch and 2.5.2 for the second, have been released and are recommended for immediate deployment.
Discovery and Technical Details of the n8n Vulnerability
The discovery of CVE-2026-25049 was a collaborative effort, with acknowledgments extended to ten security researchers. Notably, Fatih Çelik, who also reported the original CVE-2025-68613, was among those credited. Other researchers include Cris Staicu from Endor Labs, Eilon Cohen from Pillar Security, and Sandeep Kamble from SecureLayer7.
Fatih Çelik described the relationship between the two vulnerabilities, stating, “they could be considered the same vulnerability, as the second one is just a bypass for the initial fix.” He elaborated that these flaws enable an attacker to escape n8n’s expression sandbox mechanism and circumvent existing security checks.
SecureLayer7 detailed a potential exploitation scenario: an attacker could establish a workflow with a publicly accessible webhook lacking authentication. By incorporating a single line of JavaScript utilizing destructuring syntax, the workflow can be manipulated to execute system-level commands. Once exposed, any individual on the internet could trigger this webhook and run commands remotely.
Implications of the n8n Command Execution Flaw
Successful exploitation of this n8n vulnerability poses significant risks, including the potential compromise of servers, theft of sensitive credentials, and exfiltration of confidential data. Furthermore, it opens avenues for threat actors to establish persistent backdoors for prolonged access to compromised systems.
The severity of this flaw is amplified when combined with n8n’s webhook functionality. Researchers noted that an adversary could create a workflow using a public webhook and embed a remote code execution payload within a workflow node. This would render the webhook publicly accessible once the workflow is activated.
Pillar Security’s report indicated that the vulnerability could allow an attacker to steal API keys, cloud provider credentials, database passwords, OAuth tokens, and gain access to the filesystem and internal systems. This could also facilitate pivoting to connected cloud accounts and hijacking artificial intelligence (AI) workflows.
“The attack requires nothing special. If you can create a workflow, you can own the server,” stated Eilon Cohen. Endor Labs attributed the issue to gaps in n8n’s sanitization mechanisms that allow security controls to be bypassed.
Cris Staicu of Endor Labs explained that the vulnerability arises from a discrepancy between TypeScript’s compile-time type system and JavaScript’s runtime behavior. While TypeScript enforces type checking at compilation, this enforcement is limited to values present in the code during compilation and does not extend to attacker-produced runtime values. When attackers craft malicious expressions at runtime, they can inject non-string values, such as objects or arrays, thereby bypassing sanitization checks entirely.
Mitigation Strategies and Future Considerations
For users unable to apply immediate patches, n8n recommends several workarounds to minimize the impact of potential exploitation. These include restricting workflow creation and editing permissions strictly to trusted users and deploying n8n within a hardened environment that enforces restricted operating system privileges and network access.
Endor Labs emphasized the importance of multiple layers of validation, noting, “This vulnerability demonstrates why multiple layers of validation are crucial. Even if one layer (TypeScript types) appears strong, additional runtime checks are necessary when processing untrusted input.” They advise paying close attention to sanitization functions during code reviews, looking for assumptions about input types that are not enforced at runtime.
The ongoing nature of security research suggests that further vulnerabilities within workflow automation platforms may be uncovered. Users are advised to stay informed about security advisories from n8n and other vendors, and to maintain robust security practices, including regular patching and thorough code reviews, to protect their automated systems.