A number of crucial vulnerabilities within the fashionable n8n open-source workflow automation platform enable escaping the confines of the setting and taking full management of the host server.
Collectively tracked as CVE-2026-25049, the problems will be exploited by any authenticated person who can create or edit workflows on the platform to carry out unrestricted distant code execution on the n8n server.
Researchers at a number of cybersecurity firms reported the issues, which stem from n8n’s sanitization mechanism and bypass the patch for CVE-2025-68613, one other crucial flaw addressed on December 20.
In keeping with Pillar Safety, exploiting CVE-2026-25049 permits full compromise of the n8n occasion and may very well be leveraged to run arbitrary system instructions on the server, steal all saved credentials, secrets and techniques (API keys, OAuth tokens), and delicate configuration information.
By exploiting the vulnerability, the researchers have been additionally in a position to entry the filesystem and inside programs, pivot to related cloud accounts, and hijack AI workflows (intercept prompts, modify responses, redirect site visitors).
As n8n is a multi-tenant setting, accessing inside cluster providers can doubtlessly enable pivoting to different tenants’ information.
“The attack requires nothing special. If you can create a workflow, you can own the server,” Pillar Safety says in a report at this time.
Supply: Pillar Safety
Pillar’s report describes the issue as incomplete AST-based sandboxing and explains that it arises from n8n’s weak sandboxing of user-written server-side JavaScript expressions in workflows.
On December 21, 2025, they demonstrated a chained bypass to the n8n group, permitting sandbox escape and entry to the Node.js world object, resulting in RCE.
A repair was carried out two days later, however upon additional evaluation, Pillar discovered it incomplete, and a second escape through a unique mechanism utilizing equal operations remained attainable.
n8n builders confirmed the bypass on December 30, and ultimately, n8n launched model 2.4.0 on January 12, 2026, addressing the problem.
Researchers at Endor Labs additionally found sanitization bypasses and demonstrated the CVE-2026-25049 vulnerability with a easy proof-of-concept (PoC) exploit that achieves distant code execution.
“In all versions prior to 2.5.2 and 1.123.17, the sanitization function assumes keys in property accesses are strings in attacker-controlled code,” says Cristian Staicu of Endor Labs.
Nevertheless, whereas the examine is mirrored in TypeScript typings, it isn’t enforced at runtime, introducing a type-confusion vulnerability. This results in bypassing the “sanitization controls entirely, enabling arbitrary code execution attacks.”
In a report at this time, researchers at SecureLayer7 present the technical particulars that enabled them to obtain “server side JavaScript execution using the Function constructor.”
They found CVE-2026-25049 whereas analyzing CVE-2025-68613 and n8n’s repair for it. It took greater than 150 failed makes an attempt to refine a profitable bypass.
SecureLayer7’s report additionally features a PoC exploit and detailed steps for the preliminary setup and making a malicious workflow that results in full server management.
Really useful steps
n8n customers ought to replace the platform to the latest model (presently 1.123.17 and a pair of.5.2). Pillar safety additionally recommends rotating the ‘N8N_ENCRYPTION_KEY’ and all credentials saved on the server, and reviewing workflows for suspicious expressions.
If updating is just not attainable in the meanwhile, the n8n group offers directors with a workaround, which acts as a short lived mitigation and doesn’t utterly tackle the danger:
- Restrict workflow creation and modifying permissions to totally trusted customers solely
- Deploy n8n in a hardened setting with restricted working system privileges and community entry to cut back the impression of potential exploitation
At present, there haven’t been any public studies about CVE-2026-25049 being exploited. Nevertheless, n8n’s rising recognition seems to have caught the eye of cybercriminals within the context of the Ni8mare flaw (CVE-2026-21858).
GreyNoise this week reported seeing doubtlessly malicious exercise focusing on uncovered n8n endpoints susceptible to Ni8mare, logging at the very least 33,000 requests between January 27 and February 3.
Though this probing may very well be as a consequence of analysis exercise, scanning for the /proc filesystem signifies curiosity in post-exploitation potential.
Trendy IT infrastructure strikes quicker than handbook workflows can deal with.
On this new Tines information, learn the way your group can cut back hidden handbook delays, enhance reliability via automated response, and construct and scale clever workflows on prime of instruments you already use.
