CVE-2026-25052
📋 TL;DR
This vulnerability in n8n workflow automation platform allows authenticated users with workflow creation/modification permissions to read sensitive files from the host system. Attackers can obtain configuration data and user credentials, potentially leading to complete account takeover. All n8n instances running vulnerable versions are affected.
💻 Affected Systems
- n8n
📦 What is this software?
N8n by N8n
N8n by N8n
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts on the n8n instance, exposure of sensitive host system files, and potential lateral movement to other systems.
Likely Case
Unauthorized access to configuration files containing database credentials, API keys, and user authentication data, leading to account takeover and data exfiltration.
If Mitigated
Limited impact if strict access controls, network segmentation, and monitoring are in place to detect unusual file access patterns.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has valid credentials with workflow permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.123.18 or 2.5.0
Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc
Restart Required: Yes
Instructions:
1. Backup your n8n instance and data. 2. Update n8n to version 1.123.18 (if using version 1.x) or 2.5.0 (if using version 2.x). 3. Restart the n8n service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict workflow permissions
allTemporarily remove workflow creation and modification permissions from non-essential users
Implement file system restrictions
linuxUse containerization or sandboxing to limit n8n's file system access
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual file access patterns
- Isolate n8n instances from sensitive systems and implement network segmentation
🔍 How to Verify
Check if Vulnerable:
Check n8n version via web interface or by examining package version. If version is below 1.123.18 (for 1.x) or below 2.5.0 (for 2.x), the instance is vulnerable.Check Version:
Check n8n web interface settings or run: npm list n8n (if installed via npm)Verify Fix Applied:
Confirm n8n version is 1.123.18 or higher (for 1.x) or 2.5.0 or higher (for 2.x) after update.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from n8n process
- Multiple failed authentication attempts followed by workflow modifications
Network Indicators:
- Unusual outbound connections from n8n instance to external systems
SIEM Query:
source="n8n" AND (event="file_access" OR event="workflow_modified") | stats count by user, file_path