A significant security flaw has been identified in the n8n workflow automation platform, potentially allowing attackers to execute arbitrary system commands. This vulnerability, designated as CVE-2026-25049 with a CVSS score of 9.4, emerges from insufficient sanitization, undermining previous safeguards introduced to fix CVE-2025-68613, which had a CVSS score of 9.9.
Details of the Vulnerability
The n8n team has acknowledged the flaw in their recent advisory, stating that an authenticated user with specific permissions could exploit crafted expressions in workflow parameters, leading to unintended command execution on the n8n host. Affected versions include those below 1.123.17 and 2.5.2, with fixes available in these respective versions.
The vulnerability was brought to light by several security researchers, including Fatih Çelik, who had previously reported CVE-2025-68613, alongside experts from Endor Labs, Pillar Security, and SecureLayer7. Çelik noted that the vulnerability acts as a bypass for the initial fix, enabling attackers to circumvent the expression sandbox mechanism in n8n.
Implications of the Flaw
SecureLayer7’s analysis reveals that an attacker could craft a workflow using a publicly accessible webhook, devoid of authentication, to execute system-level commands. The exploitation allows for compromising servers, stealing credentials, and accessing sensitive data, potentially leading to persistent backdoors for ongoing access.
Pillar Security further elaborates that the flaw could enable attackers to steal API keys, cloud provider credentials, database passwords, and OAuth tokens, while also accessing internal systems and hijacking AI workflows. Such attacks are feasible if the attacker can create a workflow, emphasizing the ease of execution.
Preventive Measures and Recommendations
Endor Labs highlights the vulnerability’s roots in mismatches between TypeScript’s compile-time type system and JavaScript’s runtime behavior, allowing attackers to bypass sanitization checks. For those unable to patch immediately, restricting workflow creation to trusted users and deploying n8n in a secure, limited-access environment is recommended.
Proper validation layers are crucial, as highlighted by the vulnerability. Despite the strength of TypeScript types, runtime checks are necessary when handling untrusted inputs. Reviewing code for assumptions about input types not enforced at runtime is essential, as suggested by security experts.
The importance of addressing this vulnerability cannot be understated, as it demonstrates the need for comprehensive security measures in automated workflow environments. Staying informed and applying recommended security practices is vital to mitigate potential threats.
