Critical n8n Expression Sandbox Escape Leading to Authenticated RCE (CVE-2026-25049)
A critical remote code execution issue in the n8n open-source workflow automation platform, tracked as CVE-2026-25049 (also published as GHSA-6cqr-8cfr-67f8), allows an authenticated user with permission to create or modify workflows to escape n8n’s expression sandbox and execute arbitrary system commands on the underlying host. The flaw stems from insufficient input sanitization/weak sandboxing in n8n’s expression evaluation (server-side JavaScript) and was identified during follow-up analysis after an earlier critical n8n vulnerability (CVE-2025-68613) was patched; researchers report the new issue effectively bypasses prior mitigations.
Reporting indicates exploitation can lead to full compromise of the n8n instance, including access to the filesystem and the ability to steal stored credentials and secrets (e.g., API keys, OAuth tokens) and sensitive configuration, with potential for pivoting into connected internal services and cloud accounts in multi-tenant deployments. Public reporting also notes public exploits are available. n8n maintainers state the issue is patched, and affected organizations should upgrade to fixed releases (1.123.17 and 2.5.2), as versions prior to 1.123.17 and 2.5.2 are impacted.
Timeline
Feb 7, 2026
Nuclei detection template for CVE-2026-25049 is proposed
A pull request was opened in the ProjectDiscovery nuclei-templates repository to add a detection template for CVE-2026-25049. The template checks exposed n8n instances for vulnerable versions by parsing version information from the /signin page and comparing it against the fixed releases.
Feb 6, 2026
Researchers disclose three critical n8n flaws including CVE-2026-25049
Security reporting highlighted a broader set of three critical n8n vulnerabilities—CVE-2026-25053, CVE-2026-25056, and CVE-2026-25049—affecting the Git node, Merge node, and expression engine. The flaws could allow authenticated workflow editors to read or write files and achieve host takeover, prompting calls for immediate upgrades.
Feb 5, 2026
n8n warns of 11 additional vulnerabilities beyond CVE-2026-25049
Alongside the CVE-2026-25049 disclosure, n8n issued alerts for 11 other vulnerabilities, including critical issues involving command injection, file access races, sandbox escapes, and XSS. Fixed versions were provided for the affected branches.
Feb 5, 2026
Public exploit techniques and PoCs for CVE-2026-25049 are published
Researchers published technical write-ups and proof-of-concept exploitation methods showing how crafted workflow expressions could escape n8n's sandbox using techniques such as access to the Node.js global object and the Function constructor. Reports also highlighted that public webhooks could make exploitation easier once a malicious workflow is in place.
Feb 4, 2026
n8n releases fixes for CVE-2026-25049
n8n released patched versions 1.123.17 and 2.5.2 to address CVE-2026-25049 and urged users to update immediately. The company also recommended restricting workflow permissions, hardening deployments, and rotating encryption keys and credentials after patching.
Feb 4, 2026
n8n discloses CVE-2026-25049 in a GitHub security advisory
n8n publicly disclosed CVE-2026-25049 via GitHub Security Advisory GHSA-6cqr-8cfr-67f8, describing a critical sandbox-escape flaw in workflow expressions that can lead to remote code execution. The advisory said affected versions were all releases before 1.123.17 and 2.5.2.
Feb 4, 2026
Researchers identify CVE-2026-25049 as a bypass of the prior n8n fix
Multiple researchers and vendors, including Pillar Security, Endor Labs, SecureLayer7, and Fatih Çelik, identified new sandbox-escape techniques in n8n's expression engine that allowed authenticated workflow editors to achieve host command execution. Their work showed the issue was a bypass of the earlier CVE-2025-68613 mitigation.
Dec 1, 2025
n8n patches CVE-2025-68613 in December 2025
n8n patched the earlier critical expression-evaluation flaw CVE-2025-68613 in December 2025. Later reporting said CVE-2026-25049 was discovered during follow-up work and bypassed protections added in that fix.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
3 more from sources like thecyberexpress com vulnerabilities, the hacker news and bleeping computer
Related Stories
Critical Remote Code Execution Vulnerabilities in n8n Workflow Automation Platform
A critical vulnerability, CVE-2025-68613, has been discovered in the n8n open-source workflow automation platform, allowing authenticated users with workflow creation or editing permissions to execute arbitrary system commands on the underlying server. This flaw, rated 9.9 on the CVSS scale, stems from improper sandboxing of JavaScript expressions within workflow definitions, enabling attackers to escape restrictions and gain system-level access. The vulnerability does not require administrative privileges, making it a significant risk in environments with multiple users or weak access controls, and could lead to full system compromise, data exfiltration, workflow sabotage, and lateral movement. Another related vulnerability, CVE-2025-68668, also enables sandbox escape in n8n, turning workflows into potential attack vectors. Both vulnerabilities highlight the urgent need for organizations using n8n to review user permissions, apply available patches, and implement strong access controls to mitigate the risk of exploitation. While there is no current evidence of active exploitation, the ease of attack and the platform's popularity make immediate remediation essential.
1 months ago
Multiple n8n Vulnerabilities Enable RCE, Sandbox Escapes, and Stored XSS
Security researchers and CVE disclosures reported multiple vulnerabilities in the *n8n* workflow automation platform that can enable **remote code execution (RCE)**, **sandbox escapes**, and **stored XSS** under various conditions. Akamai highlighted exploitation interest from **Zerobot** targeting n8n via **CVE-2025-68613**, a critical expression-evaluation sandboxing failure affecting versions `0.211.0` through `1.20.4` (and `1.21.1`/`1.22.0`), where a logged-in (non-admin) user could break out of the expression context to execute arbitrary code, read/write server files, steal environment variables (e.g., API keys), and establish persistence; a public PoC was noted as available. Subsequent advisories describe additional n8n flaws patched after the earlier expression-sandbox issue, generally requiring an authenticated user who can create/modify workflows, except where noted. **CVE-2026-27577** covers further expression-evaluation abuse leading to host command execution; **CVE-2026-27495** describes a **JavaScript Task Runner** sandbox escape that can lead to full host compromise when internal runners are used (enabled via `N8N_RUNNERS_ENABLED=true`), with external runner mode (`N8N_RUNNERS_MODE=external`) reducing blast radius; **CVE-2026-27497** describes potential RCE and arbitrary file write via the **Merge node** in SQL query mode; and **CVE-2026-27578** describes **stored XSS** across multiple nodes (e.g., Webhook/Form/Chat-related nodes) enabling session hijacking/account takeover when victims view affected pages. **CVE-2026-27493** adds a second-order, potentially **unauthenticated** expression injection path via **Form nodes** (triggered by crafted input beginning with `=` under specific workflow configurations) that can escalate to RCE only when chained with a separate sandbox escape. Fixes are reported in n8n `2.10.1` (and, depending on branch, `2.9.3` / `1.123.22`), with interim mitigations including restricting workflow edit permissions and disabling specific nodes via `NODES_EXCLUDE` (e.g., `n8n-nodes-base.webhook`, `n8n-nodes-base.merge`, `n8n-nodes-base.form`, `n8n-nodes-base.formTrigger`).
1 months ago
Authenticated Sandbox-Escape RCE Vulnerabilities in n8n Workflow Automation
JFrog researchers disclosed two vulnerabilities in the *n8n* workflow automation platform that allow an **authenticated** attacker to escape built-in sandboxes and achieve **remote code execution (RCE)** on the main n8n node, potentially leading to full instance compromise and access to sensitive connected systems (e.g., APIs, credentials, and internal tooling). The issues are tracked as **CVE-2026-1470** (CVSS **9.9**) and **CVE-2026-0863** (CVSS **8.5**); exploitation is possible even in configurations where n8n runs in “internal” execution mode, which n8n documentation already warns is risky for production due to weaker isolation between the application and task runner processes. Technical details indicate both flaws are sandbox escapes driven by language/runtime edge cases: **CVE-2026-1470** abuses JavaScript expression sandboxing (including `with`-statement handling) to resolve a constructor path to `Function` and execute arbitrary JavaScript, while **CVE-2026-0863** escapes the Python task executor sandbox via Python introspection and runtime behavior (notably Python 3.10+ `AttributeError.obj`) to regain access to restricted builtins/imports and execute OS commands. Recommended remediation is to upgrade n8n to fixed versions (for **CVE-2026-1470**: `1.123.17`, `2.4.5`, or `2.5.1`; for **CVE-2026-0863**: `1.123.14`, `2.3.5`, or `2.4.2`).
1 months ago