- A critical flaw (CVE-2026-25049) in the automation platform n8n enables authenticated users to execute system commands, representing a bypass for a patch issued in December 2025.
- An attacker can create a public webhook in a workflow to remotely trigger the exploit, potentially compromising the server and stealing sensitive credentials and data.
- The vulnerability stems from a mismatch between TypeScript’s compile-time type checks and JavaScript’s runtime behavior, allowing malicious values to bypass sanitization.
- Versions before 1.123.17 and 2.5.2 are affected, and users are urged to patch immediately or restrict workflow permissions and deploy in a hardened environment.
On February 5, 2026, security researchers disclosed a severe vulnerability in the popular n8n workflow automation platform that allows authenticated attackers to run arbitrary commands on the host system. This latest flaw, tracked as CVE-2026-25049 with a CVSS score of 9.4, is a direct bypass for safeguards implemented to fix an earlier critical issue, CVE-2025-68613.
According to the advisory released by n8n’s maintainers, the weakness lies in inadequate expression sanitization. Consequently, a user with permissions to create workflows could craft malicious expressions to trigger unintended command execution.
The vulnerability was identified by a group of ten researchers, including Fatih Çelik. In a technical analysis, Çelik explained that the new flaw is essentially the same vulnerability, as it escapes the n8n expression sandbox.
SecureLayer7 noted that pairing the bug with a public webhook makes it remotely exploitable. An attacker can therefore create a workflow, add a JavaScript payload, and wait for anyone online to trigger it.
Successful exploitation grants significant control. “The attack requires nothing special. If you can create a workflow, you can own the server,” said Pillar Security‘s Eilon Cohen, whose report detailed risks like stealing API keys and hijacking AI workflows.
Endor Labs’ Cris Staicu explained the root cause is a mismatch between TypeScript’s compile-time types and JavaScript’s runtime. Attackers can thus pass non-string values that bypass checks entirely.
The affected versions are below 1.123.17 and 2.5.2. Meanwhile, if patching is delayed, n8n recommends restricting workflow permissions and deploying in a hardened, restricted environment as a workaround.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
