Summary
CVE-2026-25049 is a critical n8n flaw letting authenticated users escape the JavaScript sandbox to run arbitrary commands. It can give full server control, access to credentials, files, and workflows. Fixed in versions 1.123.17 and 2.5.2—update immediately and rotate credentials.
Urgent Actions Required
- Update n8n to versions 1.123.17 or 2.5.2 immediately.
- Rotate the N8N_ENCRYPTION_KEY and all stored credentials.
- Limit workflow creation and editing to trusted users.
- Review workflows for unusual JavaScript, especially code accessing system properties or using bracket notation.
- Run n8n in isolated environments with minimal privileges and restricted network access if immediate patching is not possible.
Which Systems Are Vulnerable to CVE-2026-25049?
Technical Overview
- Vulnerability Type: Sandbox Escape and Remote Code Execution via Workflow Expression Injection
- Affected Software/Versions:
- n8n versions prior to 1.123.17
- n8n versions prior to 2.5.2
- CVSS Vector: v4.0
- Attack Vector (AV): Network
- Attack Complexity (AC): Low
- Attack Requirements (AT): None
- Privileges Required (PR): Low
- User Interaction (UI): None
- Vulnerable System Confidentiality (VC): High
- Vulnerable System Integrity (VI): High
- Vulnerable System Availability (VA): High
- Subsequent System Confidentiality (SC): High
- Subsequent System Integrity (SI): High
- Subsequent System Availability (SA): High
- Patch Availability: Yes, available
Expression Escape Vulnerability Leading to RCE · Advisory · n8n-io/n8n · GitHub
How Does the CVE-2026-25049 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2026-25049?
Vulnerability Root Cause:
CVE-2026-25049 is caused by flaws in n8n’s sandbox, allowing authenticated users to run arbitrary code and fully compromise the server.
How Can You Mitigate CVE-2026-25049?
If immediate patching is delayed or not possible:
- Restrict workflow creation and modification privileges to trusted users only.
- Audit and delete workflows with suspicious JavaScript, especially using bracket notation or system objects.
- Rotate the N8N_ENCRYPTION_KEY and regenerate all stored credentials to prevent misuse.
- Operate n8n in an isolated environment with minimal system privileges and limited network access.
- Continuously monitor workflow changes and execution logs for unexpected behavior or command execution patterns.
Which Assets and Systems Are at Risk?
- Asset Types Affected:
- n8n automation servers running versions prior to 1.123.17 and 2.5.2
- Workflow environments where users can create or modify JavaScript expressions
- Systems storing API keys, OAuth tokens, or other credentials within n8n
- Business-Critical Systems at Risk:
- Automation platforms connecting to sensitive systems like SaaS APIs or internal services
- Environments managing stored credentials used for thirdparty access
- AI-driven or automated workflows that execute server-side logic
- Exposure Level:
- Internet-accessible n8n instances where authenticated users can edit workflows
- Self-hosted deployments running with elevated system privileges
- Environments where n8n has access to internal networks, files, or connected services
Will Patching CVE-2026-25049 Cause Downtime?
Patch application impact: Low. Upgrading to n8n 1.123.17 or 2.5.2 typically requires just a service restart, causing minimal downtime.
Mitigation (if immediate patching is not possible): Limit workflow editing to trusted users, rotate credentials and N8N_ENCRYPTION_KEY, and run n8n with restricted privileges. These reduce risk but do not fully fix the vulnerability.
How Can You Detect CVE-2026-25049 Exploitation?
Exploitation Signatures:
Monitor for workflows containing unusual or unexpected JavaScript expressions, especially those attempting to access the constructor or the Function object. Look for expression nodes that interact with system-level modules like child_process or attempt file access (e.g., /etc/passwd).
Indicators of Compromise (IOCs/IOAs):
- Execution of workflows with object-based payloads bypassing sanitization
- Unexpected system command executions or file reads originating from n8n workflow nodes
- Abnormal network requests or AI workflow outputs altered by automated workflows
Behavioral Indicators:
- Workflows executing expressions that should be blocked by sanitization or AST validation
- Sudden access to local files, internal services, or stored credentials via workflow nodes
- Changes in workflow behavior without manual updates
Alerting Strategy:
- Priority: Critical
- Trigger alerts for:
- Expression nodes accessing the constructor, Function, or system modules.
- Workflows performing OS-level commands or unauthorized file access.
- Anomalous AI or automation workflow outputs.
Remediation & Response
- Remediation Timeline:
- Immediate (0–2 hrs): Limit workflow edits to trusted admins and isolate n8n instances.
- Within 8 hrs: Update n8n to 1.123.17 or 2.5.2 to fix the vulnerability.
- Within 24 hrs: Rotate all credentials and ensure all n8n instances are updated.
- Rollback Plan:
- If upgrading causes issues, revert to the previous stable version and maintain strict workflow creation restrictions.
- Document rollback actions, including versions, timestamps, and responsible personnel.
- Incident Response Considerations:
- Isolate affected n8n instances to prevent further unauthorized system command execution.
- Collect workflow logs, webhook triggers, and node execution traces to investigate potential compromise.
- Review workflows for suspicious expressions or unexpected system-level commands.
- After patching, monitor for abnormal workflow activity and enforce runtime type validation in custom nodes.
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.4 | Critical severity indicating high impact and exploitability |
| Attack Vector | Network | Exploitable remotely over the network without local access |
| Attack Complexity | Low | Exploit does not require special conditions; straightforward |
| Attack Requirements | None | No special conditions or prerequisites needed beyond access to workflow creation/editing |
| Privileges Required | Low | Requires a user account with permission to create or modify workflows |
| User Interaction | None | No end-user action needed to trigger the exploit |
| Vulnerable System Confidentiality | High | Exploit can disclose sensitive information, including stored credentials |
| Vulnerable System Integrity | High | Exploit allows arbitrary code execution and modification of workflows or system files |
| Vulnerable System Availability | High | Exploit can compromise server availability and system operations |
| Subsequent System Confidentiality | High | Exploit can lead to the disclosure of data in connected systems and services |
| Subsequent System Integrity | High | Exploit can impact the integrity of downstream services, workflows, or AI tasks |
| Subsequent System Availability | High | Exploit can affect the availability of connected systems or automation workflows |
References:
