A critical new security vulnerability has been disclosed in the n8n workflow automation platform that could be successfully exploited to execute arbitrary system commands.
This flaw, tracked as CVE-2026-25049 (CVSS score: 9.4), is due to improper sanitization that bypasses safety measures put in place to address CVE-2025-68613 (CVSS score: 9.9), another critical flaw patched by n8n in December 2025.
“Additional exploits in expression evaluation in n8n have been identified and patched in accordance with CVE-2025-68613,” n8n maintainers said in an advisory released Wednesday.
“An authenticated user with privileges to create or modify workflows could exploit a crafted expression in a workflow parameter to cause execution of unintended system commands on a host running n8n.”
This issue affects the following versions:
<1.123.17 (fixed in 1.123.17) <2.5.2 (fixed in 2.5.2)
Ten security researchers are credited with discovering the flaw, including Fatih Çelik, who reported the original bug CVE-2025-68613, Cris Staicu of Endor Labs, Eilon Cohen of Pillar Security, and Sandeep Kamble of SecureLayer7.
In a technical detail describing CVE-2025-68613 and CVE-2026-25049, Çelik said, “The second vulnerability is only a bypass of the initial fix, so it could be considered the same vulnerability,” adding how an attacker could bypass the n8n-style sandboxing mechanism and bypass security checks.
“An attacker creates a workflow using a publicly accessible webhook that does not have authentication enabled,” SecureLayer7 said. “By adding a single line of JavaScript using structured syntax, workflows can be exploited to execute system-level commands. Once exposed, anyone on the internet can trigger a webhook to execute commands remotely.”
Successful exploitation of this vulnerability could not only allow an attacker to compromise the server, steal credentials, and exfiltrate sensitive data, but it could also open an opportunity for the attacker to install persistent backdoors to facilitate long-term access.
The cybersecurity firm also noted that the severity of the flaw increases significantly when combined with n8n’s webhook functionality, allowing an attacker to create a workflow with a public webhook, add a remote code execution payload to a node within the workflow, and make the webhook publicly accessible once the workflow is activated.
Pillar’s report describes the issue as allowing attackers to steal API keys, cloud provider keys, database passwords, and OAuth tokens, access file systems and internal systems, pivot to connected cloud accounts, and hijack artificial intelligence (AI) workflows.
“The attack doesn’t require anything special. If you can create a workflow, you own the server,” Cohen said.
Endor Labs also revealed details about the vulnerability, stating that the issue is caused by a gap in n8n’s sanitization mechanism that allows security controls to be bypassed.
“This vulnerability is caused by a mismatch between TypeScript’s compile-time type system and JavaScript’s run-time behavior,” Staicu explained. “TypeScript enforces properties to be strings at compile time, but this enforcement is limited to values that are present in the code during compilation.”
“TypeScript cannot enforce these type checks on values created by an attacker at runtime. If an attacker creates a malicious expression at runtime, they could pass non-string values (objects, arrays, symbols, etc.) that bypass sanitization checks completely.”
If immediate patching is not possible, we recommend following the workarounds below to minimize the impact of potential exploits.
Restrict workflow creation and editing privileges to fully trusted users Deploy n8n in a hardened environment with limited operating system permissions and network access
“This vulnerability shows why multiple layers of validation are important. Even if one layer (TypeScript type) seems powerful, additional runtime checks are required when processing untrusted input,” Endor Labs said. “Pay particular attention to sanitization functions during code reviews, and look for assumptions about input types that are not enforced at runtime.”
(This story was updated after publication to include additional insights published by security researcher Fatih Çelik.)
Source link
