anonhaven
Ad

CVE-2026-25049

CRITICAL CVSS 4.0: 9.4 EPSS 0.04%
Updated Feb 05, 2026
N8N
Parameter Value
CVSS 9.4 (CRITICAL)
Affected Versions 2.0.0 — 2.5.2
Fixed In 1.123.17
Type CWE-913
Vendor N8N
Public PoC No

n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-913

Vulnerable Products 2

Configuration From (including) Up to (excluding)
N8n N8n
cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
 1.123.17
N8n N8n
cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
 2.0.0 2.5.2

References 3

https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d
security-advisories@github.com
https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b
security-advisories@github.com
https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-25115

N8N

9.4

CVE-2026-25056

N8N

9.4

CVE-2026-25055

N8N

7.1

CVE-2026-25054

N8N

8.5

CVE-2026-25053

N8N

9.4