CVE-2026-25056
📋 TL;DR
This vulnerability in n8n's Merge node allows authenticated users with workflow creation/modification permissions to write arbitrary files to the server filesystem, potentially leading to remote code execution. It affects n8n installations before versions 1.118.0 and 2.4.0. Only users with workflow permissions are affected, not all authenticated users.
💻 Affected Systems
- n8n
📦 What is this software?
N8n by N8n
N8n by N8n
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attacker to execute arbitrary commands, access sensitive data, and pivot to other systems.
Likely Case
File system manipulation leading to data exfiltration, privilege escalation, or persistence mechanisms being established.
If Mitigated
Limited impact due to proper access controls and network segmentation, potentially only affecting isolated workflow automation data.
🎯 Exploit Status
Exploitation requires understanding of n8n workflow creation and SQL query manipulation. No public exploit code available at advisory publication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.118.0 or 2.4.0
Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm
Restart Required: Yes
Instructions:
1. Backup your n8n instance and data. 2. Update n8n to version 1.118.0 or 2.4.0 using your package manager or deployment method. 3. Restart the n8n service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict workflow permissions
allTemporarily remove workflow creation/modification permissions from non-essential users until patching is complete.
Network isolation
allRestrict network access to n8n instance to only trusted IP addresses or internal networks.
🧯 If You Can't Patch
- Implement strict access controls to limit workflow creation/modification permissions to essential personnel only.
- Monitor for suspicious file write operations in n8n logs and server filesystem activity.
🔍 How to Verify
Check if Vulnerable:
Check n8n version via web interface or command line. If version is below 1.118.0 (for v1) or 2.4.0 (for v2), the system is vulnerable.Check Version:
npx n8n --version or check package.json version in installation directoryVerify Fix Applied:
Confirm n8n version is 1.118.0 or higher (v1) or 2.4.0 or higher (v2) after update.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations in n8n logs
- Suspicious SQL queries in Merge node operations
- Multiple failed workflow modification attempts
Network Indicators:
- Unexpected outbound connections from n8n server
- File transfer patterns from n8n instance
SIEM Query:
source="n8n" AND ("file write" OR "Merge node" OR "SQL query")