CVE-2026-25049
📋 TL;DR
This vulnerability allows authenticated users with workflow creation/modification permissions in n8n to execute arbitrary system commands on the host server by crafting malicious expressions in workflow parameters. It affects all n8n installations running versions before 1.123.17 or 2.5.2. The risk is limited to authenticated users with specific permissions.
💻 Affected Systems
- n8n
📦 What is this software?
N8n by N8n
N8n by N8n
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the n8n host server, allowing attackers to execute arbitrary commands, access sensitive data, install malware, or pivot to other systems.
Likely Case
Privilege escalation leading to unauthorized access to the host system, potentially exposing credentials, configuration files, and other sensitive information.
If Mitigated
Limited impact if proper access controls restrict workflow permissions to trusted users only, though risk remains if any user with permissions is compromised.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of workflow parameter manipulation. The advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.123.17 or 2.5.2
Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8
Restart Required: Yes
Instructions:
1. Backup your n8n data and workflows. 2. Update n8n to version 1.123.17 (for v1) or 2.5.2 (for v2) using your package manager or deployment method. 3. Restart the n8n service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict workflow permissions
allLimit workflow creation and modification permissions to only essential, trusted users.
Network segmentation
allIsolate n8n instances from sensitive systems and implement strict network controls.
🧯 If You Can't Patch
- Immediately restrict workflow permissions to minimal trusted users only
- Implement strict monitoring of workflow creation/modification activities and system command execution
🔍 How to Verify
Check if Vulnerable:
Check n8n version: if running version below 1.123.17 (for v1) or 2.5.2 (for v2), you are vulnerable.Check Version:
n8n --version or check package.json version in installation directoryVerify Fix Applied:
Confirm n8n version is 1.123.17 or higher (v1) or 2.5.2 or higher (v2) after update.📡 Detection & Monitoring
Log Indicators:
- Unusual workflow modifications by users
- System command execution patterns in workflow logs
- Error logs related to expression parsing
Network Indicators:
- Unexpected outbound connections from n8n host
- Command and control traffic patterns
SIEM Query:
source="n8n" AND (event="workflow_modified" OR event="expression_error") | stats count by user