CVE-2026-25053
📋 TL;DR
This vulnerability in n8n workflow automation platform allows authenticated users with workflow creation/modification permissions to execute arbitrary system commands or read arbitrary files on the host. It affects all n8n installations prior to versions 1.123.10 and 2.5.0. The issue stems from improper input validation in the Git node functionality.
💻 Affected Systems
- n8n
📦 What is this software?
N8n by N8n
N8n by N8n
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with the privileges of the n8n process, potentially leading to complete host takeover, data exfiltration, or lateral movement.
Likely Case
Authenticated attackers with workflow permissions can execute limited commands or read sensitive files, potentially escalating privileges or accessing confidential data.
If Mitigated
With proper access controls limiting workflow creation/modification to trusted users only, impact is reduced to authorized users who could still abuse their legitimate access.
🎯 Exploit Status
Exploitation requires authenticated access but appears straightforward once authenticated with appropriate permissions. The advisory suggests the vulnerability is in how Git node parameters are handled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.123.10 or 2.5.0
Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-9g95-qf3f-ggrw
Restart Required: Yes
Instructions:
1. Stop n8n service. 2. Update n8n to version 1.123.10 (if using n8n 1.x) or 2.5.0 (if using n8n 2.x). 3. Restart n8n service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Git node
allRemove or disable the Git node functionality to prevent exploitation
Modify n8n configuration to disable Git node or remove it from available nodes
Restrict workflow permissions
allLimit which users can create or modify workflows to only trusted administrators
Configure n8n user roles to restrict workflow creation/modification permissions
🧯 If You Can't Patch
- Implement strict access controls to limit workflow creation/modification to minimal trusted users
- Monitor for suspicious workflow modifications or Git node usage in audit logs
🔍 How to Verify
Check if Vulnerable:
Check n8n version: if running version below 1.123.10 (for n8n 1.x) or below 2.5.0 (for n8n 2.x), the system is vulnerable.Check Version:
n8n --version or check package.json version in n8n installation directoryVerify Fix Applied:
After updating, verify the version is 1.123.10 or higher (for 1.x) or 2.5.0 or higher (for 2.x). Test that Git node functionality still works but with proper input validation.📡 Detection & Monitoring
Log Indicators:
- Unusual Git node usage patterns
- Workflow modifications by non-admin users
- Commands executed via workflow that appear suspicious
Network Indicators:
- Unexpected outbound connections from n8n host
- Git operations to unusual repositories
SIEM Query:
source="n8n" AND (event="workflow_modified" OR event="node_executed") AND node_type="git"