A new, critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could result in the execution of arbitrary system commands.
The flaw, tracked as CVE-2026-25049 (CVSS score: 9.4), is the result of inadequate sanitization that bypasses safeguards put in place to address CVE-2025-68613 (CVSS score: 9.9), another critical defect that was patched by n8n in December 2025.
“Additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613,” n8n’s maintainers said in an advisory released Wednesday.
“An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.”
The issue affects the following versions –
- <1.123.17 (Fixed in 1.123.17)
- <2.5.2 (Fixed in 2.5.2)
As many as 10 security researchers, including Fatih Çelik, who reported the original bug CVE-2025-68613, as well as Endor Labs’ Cris Staicu, Pillar Security’s Eilon Cohen, and SecureLayer7’s Sandeep Kamble, have been acknowledged for discovering the shortcoming.
In a technical deep-dive expounding CVE-2025-68613 and CVE-2026-25049, Çelik said “they could be considered the same vulnerability, as the second one is just a bypass for the initial fix,” adding how they allow an attacker to escape the n8n expression sandbox mechanism and get around security checks.
“An attacker creates a workflow with a publicly accessible webhook that has no authentication enabled,” SecureLayer7 said. “By adding a single line of JavaScript using destructuring syntax, the workflow can be abused to execute system-level commands. Once exposed, anyone on the internet can trigger the webhook and run commands remotely.”
Successful exploitation of the vulnerability could allow an attacker to compromise the server, steal credentials, and exfiltrate sensitive data, not to mention open up opportunities for threat actors to install persistent backdoors to facilitate long-term access.
The cybersecurity company also noted that the severity of the flaw significantly increases when it’s paired with n8n’s webhook feature, permitting an adversary to create a workflow using a public webhook and add a remote code execution payload to a node in the workflow, causing the webhook to be publicly accessible once the workflow is activated.
Pillar’s report has described the issue as permitting an attacker to steal API keys, cloud provider keys, database passwords, OAuth tokens, and access the filesystem and internal systems, pivot to connected cloud accounts, and hijack artificial intelligence (AI) workflows.
“The attack requires nothing special. If you can create a workflow, you can own the server,” Cohen said.
Endor Labs, which also shared details of the vulnerability, said the problem arises from gaps in n8n’s sanitization mechanisms that allow for bypassing security controls.
“The vulnerability arises from a mismatch between TypeScript’s compile-time type system and JavaScript’s runtime behavior,” Staicu explained. “While TypeScript enforces that a property should be a string at compile time, this enforcement is limited to values that are present in the code during compilation.”
“TypeScript cannot enforce these type checks on runtime attacker-produced values. When attackers craft malicious expressions at runtime, they can pass non-string values (such as objects, arrays, or symbols) that bypass the sanitization check entirely.”
If immediate patching is not an option, users are advised to follow the workarounds below to minimize the impact of potential exploitation –
- Restrict workflow creation and editing permissions to fully trusted users only
- Deploy n8n in a hardened environment with restricted operating system privileges and network access
“This vulnerability demonstrates why multiple layers of validation are crucial. Even if one layer (TypeScript types) appears strong, additional runtime checks are necessary when processing untrusted input,” Endor Labs said. “Pay special attention to sanitization functions during code review, looking for assumptions about input types that aren’t enforced at runtime.”
(The story was updated after publication to include additional insights published by security researcher Fatih Çelik.)
