HomeSample Page
Cyber Security

Sample Page Title

admin_kiran
By admin_kiran
0
1
Vital n8n Flaw CVE-2026-25049 Allows System Command Execution through Malicious Workflows


Vital n8n Flaw CVE-2026-25049 Allows System Command Execution through Malicious Workflows

A brand new, essential safety vulnerability has been disclosed within the n8n workflow automation platform that, if efficiently exploited, might consequence within the execution of arbitrary system instructions.

The flaw, tracked as CVE-2026-25049 (CVSS rating: 9.4), is the results of insufficient sanitization that bypasses safeguards put in place to deal with CVE-2025-68613 (CVSS rating: 9.9), one other essential defect that was patched by n8n in December 2025.

“Extra exploits within the expression analysis of n8n have been recognized and patched following CVE-2025-68613,” n8n’s maintainers stated in an advisory launched Wednesday.

“An authenticated person with permission to create or modify workflows might abuse crafted expressions in workflow parameters to set off unintended system command execution on the host working n8n.”

The problem impacts the next variations –

  • <1.123.17 (Mounted in 1.123.17)
  • <2.5.2 (Mounted in 2.5.2)

As many as 10 safety researchers, together with Fatih Çelik, who reported the unique bug CVE-2025-68613, in addition to Endor Labs’ Cris Staicu, Pillar Safety’s Eilon Cohen, and SecureLayer7’s Sandeep Kamble, have been acknowledged for locating the shortcoming.

In a technical deep-dive expounding CVE-2025-68613 and CVE-2026-25049, Çelik stated “they might be thought-about the identical vulnerability, as the second is only a bypass for the preliminary repair,” including how they permit an attacker to flee the n8n expression sandbox mechanism and get round safety checks.

“An attacker creates a workflow with a publicly accessible webhook that has no authentication enabled,” SecureLayer7 stated. “By including a single line of JavaScript utilizing destructuring syntax, the workflow may be abused to execute system-level instructions. As soon as uncovered, anybody on the web can set off the webhook and run instructions remotely.”

Profitable exploitation of the vulnerability might permit an attacker to compromise the server, steal credentials, and exfiltrate delicate knowledge, to not point out open up alternatives for risk actors to put in persistent backdoors to facilitate long-term entry.

The cybersecurity firm additionally famous that the severity of the flaw considerably will increase when it is paired with n8n’s webhook characteristic, allowing an adversary to create a workflow utilizing a public webhook and add a distant code execution payload to a node within the workflow, inflicting the webhook to be publicly accessible as soon as the workflow is activated.

Pillar’s report has described the problem as allowing an attacker to steal API keys, cloud supplier keys, database passwords, OAuth tokens, and entry the filesystem and inside methods, pivot to related cloud accounts, and hijack synthetic intelligence (AI) workflows.

“The assault requires nothing particular. In the event you can create a workflow, you possibly can personal the server,” Cohen stated.

Endor Labs, which additionally shared particulars of the vulnerability, stated the issue arises from gaps in n8n’s sanitization mechanisms that permit for bypassing safety controls.

“The vulnerability arises from a mismatch between TypeScript’s compile-time kind system and JavaScript’s runtime habits,” Staicu defined. “Whereas TypeScript enforces {that a} property must be a string at compile time, this enforcement is proscribed to values which can be current within the code throughout compilation.”

“TypeScript can’t implement these kind checks on runtime attacker-produced values. When attackers craft malicious expressions at runtime, they will move non-string values (resembling objects, arrays, or symbols) that bypass the sanitization verify solely.”

If speedy patching will not be an choice, customers are suggested to comply with the workarounds under to reduce the influence of potential exploitation –

  • Limit workflow creation and enhancing permissions to completely trusted customers solely
  • Deploy n8n in a hardened atmosphere with restricted working system privileges and community entry

“This vulnerability demonstrates why a number of layers of validation are essential. Even when one layer (TypeScript varieties) seems sturdy, extra runtime checks are mandatory when processing untrusted enter,” Endor Labs stated. “Pay particular consideration to sanitization features throughout code overview, searching for assumptions about enter varieties that are not enforced at runtime.”

Moreover CVE-2026-25049, n8n has additionally launched safety alerts for 11 different flaws, together with 5 which can be rated essential in severity –

  • CVE-2026-21893 (CVSS rating: 9.4) – A command injection vulnerability that permits authenticated customers with administrative permissions to execute arbitrary system instructions on the n8n host below particular situations (Mounted in model 1.120.3)
  • CVE-2026-25051 (CVSS rating: 8.5) – A cross-site scripting (XSS) vulnerability within the dealing with of webhook responses and associated HTTP endpoints that permits an authenticated person with permission to create or modify workflows to execute malicious scripts with same-origin privileges when different customers work together with the crafted workflow, probably resulting in session hijacking and account takeover (Mounted in model 1.123.2)
  • CVE-2026-25052 (CVSS rating: 9.4) – A Time-of-check Time-of-use (TOCTOU) vulnerability within the file entry controls that permits authenticated customers with permission to create or modify workflows to learn delicate information from the n8n host system, probably main to a whole account takeover of any person on the occasion (Mounted in variations 2.5.0 and 1.123.18)
  • CVE-2026-25053 (CVSS rating: 9.4) – An working system command injection vulnerability within the Git node that permits authenticated customers with permission to create or modify workflows to execute arbitrary system instructions or learn arbitrary information on the n8n host (Mounted in variations 2.5.0 and 1.123.10)
  • CVE-2026-25054 (CVSS rating: 8.5) – A saved cross-site scripting (XSS) vulnerability affecting a markdown rendering element utilized in n8n’s interface, together with workflow sticky notes, that permits an authenticated person with permission to create or modify workflows to execute scripts with same-origin privileges when different customers work together with a maliciously crafted workflow, probably resulting in session hijacking and account takeover (Mounted in variations 2.2.1 and 1.123.9)
  • CVE-2026-25055 (CVSS rating: 7.1) – A path traversal vulnerability that permits information to be written to unintended areas on distant methods when workflows course of uploaded information and switch them to distant servers through the SSH node with out validating their metadata, probably resulting in distant code execution on these methods (Mounted in variations 2.4.0 and 1.123.12)
  • CVE-2026-25056 (CVSS rating: 9.4) – A vulnerability within the Merge node’s SQL Question mode that permits authenticated customers with permission to create or modify workflows to jot down arbitrary information to the n8n server’s filesystem, probably resulting in distant code execution (Mounted in variations 2.4.0 and 1.118.0)
  • CVE-2026-25115 (CVSS rating: 9.4) – A vulnerability within the Python Code node that permits authenticated customers to interrupt out of the Python sandbox atmosphere and execute code outdoors the meant safety boundary when Job Runners are enabled utilizing N8N_RUNNERS_ENABLED=true, Python is enabled N8N_PYTHON_ENABLED=true, and Code Node is enabled (Mounted in model 2.4.8)
  • CVE-2026-25631 (CVSS rating: 5.3) – An improper credential area validation vulnerability within the HTTP Request node that permits an authenticated attacker to ship requests with credentials to unintended domains, probably resulting in credential exfiltration (Mounted in model 1.121.0)
  • CVE-2025-61917 (CVSS rating: 7.7) – An unsafe buffer allocation vulnerability that permits publicity of delicate info to unauthorized actor, probably resulting in publicity of delicate info when Job Runners are enabled utilizing N8N_RUNNERS_ENABLED=true and Code Node is enabled (Mounted in model 1.114.3)
  • CVE-2025-62726 (CVSS rating: 8.8) – A distant code execution vulnerability exists within the Git Node element that permits attackers to execute arbitrary code throughout the n8n atmosphere when a distant repository containing a pre-commit hook is cloned, inflicting the hook to be executed following using the Commit operation within the Git Node (Mounted in model 1.113.0)

Given the criticality of the recognized vulnerabilities, Customers are really helpful to replace their situations to the newest model for optimum safety.

“n8n’s flexibility and energy are precisely what make these points excessive influence,” Upwind safety researcher Amit Genkin stated. “When automation engines are allowed to immediately affect execution and file entry, small errors shortly flip into full atmosphere compromise.”

(The story was up to date after publication to incorporate extra insights revealed by safety researcher Fatih Çelik.)

Previous article
ByteDance Releases Protenix-v1: A New Open-Supply Mannequin Attaining AF3-Degree Efficiency in Biomolecular Construction Prediction
Next article
MacBook Air offers: Evaluate newest provides and lowest costs on-line proper now
admin_kiran
admin_kiranhttps://funded4trading.com

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

Load more

EDITOR PICKS

POPULAR POSTS

POPULAR CATEGORY

©