CVE-2026-25055 – This vulnerability in n8n workflow automation p... (How to Fix)

Q: What is the severity of CVE-2026-25055?

CVE-2026-25055 has a CVSS score of 8.1 (HIGH). This vulnerability in n8n workflow automation platform allows attackers to write files to unintended locations on remote systems via SSH nodes, potentially leading to remote code execution. It affects n8n instances with workflows that process uploaded files and transfer them via SSH without metadata validation. Attackers need knowledge of such workflows and unauthenticated file upload endpoints.

📋 TL;DR

This vulnerability in n8n workflow automation platform allows attackers to write files to unintended locations on remote systems via SSH nodes, potentially leading to remote code execution. It affects n8n instances with workflows that process uploaded files and transfer them via SSH without metadata validation. Attackers need knowledge of such workflows and unauthenticated file upload endpoints.

💻 Affected Systems

Products:

n8n

Versions: All versions prior to 1.123.12 and 2.4.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires workflows with file upload processing and SSH node transfers. File upload endpoints must be unauthenticated for exploitation.

📦 What is this software?

N8n by N8n

View all CVEs affecting N8n →

N8n by N8n

View all CVEs affecting N8n →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on remote systems connected via SSH, allowing complete compromise of those systems.

🟠

Likely Case

Unauthorized file writes to sensitive locations on remote systems, potentially leading to data exposure or system disruption.

🟢

If Mitigated

Limited impact with proper authentication on file upload endpoints and workflow validation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires knowledge of vulnerable workflows and unauthenticated upload endpoints. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.123.12 or 2.4.0

Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9

Restart Required: Yes

Instructions:

1. Update n8n to version 1.123.12 (for v1.x) or 2.4.0 (for v2.x). 2. Restart the n8n service. 3. Verify workflows using SSH nodes with file transfers are functioning correctly.

🔧 Temporary Workarounds

Require authentication on file upload endpoints

all

Ensure all endpoints accepting file uploads require proper authentication

Disable or restrict SSH node usage

all

Temporarily disable workflows using SSH nodes for file transfers

🧯 If You Can't Patch

Implement strict authentication on all file upload endpoints
Audit and disable workflows using SSH nodes for file transfers without proper validation

🔍 How to Verify

Check if Vulnerable:

Check n8n version and review workflows for SSH nodes processing uploaded files

Check Version:

n8n --version or check package.json version

Verify Fix Applied:

Confirm n8n version is 1.123.12 or higher (v1.x) or 2.4.0 or higher (v2.x)

📡 Detection & Monitoring

Log Indicators:

Unusual file upload patterns
SSH node errors with file operations
Unauthenticated access to upload endpoints

Network Indicators:

Unexpected SSH connections from n8n server
File transfers to unusual locations

SIEM Query:

source="n8n" AND (event="file_upload" OR event="ssh_transfer") AND status="success" AND user="unauthenticated"

📊 Metadata

CVE ID: CVE-2026-25055

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

EPSS Score: 0.11% exploit probability (29.7th percentile)

Published: February 4, 2026

Last Updated: February 5, 2026

🔗 References

https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25055, you might also want to check these: