Login Sign Up

CVE-2025-52554

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This CVE describes an authorization vulnerability in n8n workflow automation platform where authenticated users can stop workflow executions they don't own or haven't been shared with them. This affects all n8n instances running versions before 1.99.1, potentially allowing business disruption through unauthorized workflow termination.

💻 Affected Systems

Products:
  • n8n
Versions: All versions prior to 1.99.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all n8n deployments with multiple users where workflow execution stopping is enabled.

📦 What is this software?

N8n by N8n

View all CVEs affecting N8n →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious insider or compromised account stops critical business workflows, causing significant operational disruption, data loss, or financial impact.

🟠

Likely Case

Accidental or intentional stopping of workflows by users with legitimate access to other workflows, causing minor to moderate business disruption.

🟢

If Mitigated

Limited to authorized users stopping only workflows they own or have been explicitly shared with them.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated access but minimal technical skill to exploit via API call.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.99.1

Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-gq57-v332-7666

Restart Required: Yes

Instructions:

1. Backup your n8n instance. 2. Update n8n to version 1.99.1 or later using your package manager or deployment method. 3. Restart the n8n service. 4. Verify the update was successful.

🔧 Temporary Workarounds

API Endpoint Restriction

all

Restrict access to the vulnerable /rest/executions/:id/stop endpoint using reverse proxy or API gateway rules.

# Example nginx configuration to block the endpoint
location /rest/executions/ {
    if ($request_uri ~* "/stop") {
        return 403;
    }
}

🧯 If You Can't Patch

  • Implement strict access controls and monitoring for the /rest/executions/:id/stop endpoint
  • Review and limit user permissions, ensuring users only have access to workflows they need

🔍 How to Verify

Check if Vulnerable:

Check n8n version. If version is below 1.99.1, the system is vulnerable.

Check Version:

n8n --version

Verify Fix Applied:

After updating, verify version is 1.99.1 or higher and test that users cannot stop workflows they don't own.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized POST requests to /rest/executions/*/stop endpoints
  • Failed authorization attempts for workflow stopping

Network Indicators:

  • Unusual patterns of workflow termination requests from single users
  • API calls to stop endpoints with different workflow IDs than user typically accesses

SIEM Query:

source="n8n" AND (uri_path="/rest/executions/*/stop" AND NOT user_workflow_access="authorized")

📊 Metadata

CVE ID: CVE-2025-52554
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-862
EPSS Score: 0.07% exploit probability (21.5th percentile)
Published: July 3, 2025
Last Updated: September 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52554, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)