Critical n8n Expression Sandbox Escape Leading to Authenticated RCE (CVE-2026-25049)
A critical remote code execution issue in the n8n open-source workflow automation platform, tracked as CVE-2026-25049 (also published as GHSA-6cqr-8cfr-67f8), allows an authenticated user with permission to create or modify workflows to escape n8n’s expression sandbox and execute arbitrary system commands on the underlying host. The flaw stems from insufficient input sanitization/weak sandboxing in n8n’s expression evaluation (server-side JavaScript) and was identified during follow-up analysis after an earlier critical n8n vulnerability (CVE-2025-68613) was patched; researchers report the new issue effectively bypasses prior mitigations.
Reporting indicates exploitation can lead to full compromise of the n8n instance, including access to the filesystem and the ability to steal stored credentials and secrets (e.g., API keys, OAuth tokens) and sensitive configuration, with potential for pivoting into connected internal services and cloud accounts in multi-tenant deployments. Public reporting also notes public exploits are available. n8n maintainers state the issue is patched, and affected organizations should upgrade to fixed releases (1.123.17 and 2.5.2), as versions prior to 1.123.17 and 2.5.2 are impacted.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Nuclei detection template for CVE-2026-25049 is proposed
A pull request was opened in the ProjectDiscovery nuclei-templates repository to add a detection template for CVE-2026-25049. The template checks exposed n8n instances for vulnerable versions by parsing version information from the /signin page and comparing it against the fixed releases.
Researchers disclose three critical n8n flaws including CVE-2026-25049
Security reporting highlighted a broader set of three critical n8n vulnerabilities—CVE-2026-25053, CVE-2026-25056, and CVE-2026-25049—affecting the Git node, Merge node, and expression engine. The flaws could allow authenticated workflow editors to read or write files and achieve host takeover, prompting calls for immediate upgrades.
n8n warns of 11 additional vulnerabilities beyond CVE-2026-25049
Alongside the CVE-2026-25049 disclosure, n8n issued alerts for 11 other vulnerabilities, including critical issues involving command injection, file access races, sandbox escapes, and XSS. Fixed versions were provided for the affected branches.
Public exploit techniques and PoCs for CVE-2026-25049 are published
Researchers published technical write-ups and proof-of-concept exploitation methods showing how crafted workflow expressions could escape n8n's sandbox using techniques such as access to the Node.js global object and the Function constructor. Reports also highlighted that public webhooks could make exploitation easier once a malicious workflow is in place.
n8n releases fixes for CVE-2026-25049
n8n released patched versions 1.123.17 and 2.5.2 to address CVE-2026-25049 and urged users to update immediately. The company also recommended restricting workflow permissions, hardening deployments, and rotating encryption keys and credentials after patching.
n8n discloses CVE-2026-25049 in a GitHub security advisory
n8n publicly disclosed CVE-2026-25049 via GitHub Security Advisory GHSA-6cqr-8cfr-67f8, describing a critical sandbox-escape flaw in workflow expressions that can lead to remote code execution. The advisory said affected versions were all releases before 1.123.17 and 2.5.2.
Researchers identify CVE-2026-25049 as a bypass of the prior n8n fix
Multiple researchers and vendors, including Pillar Security, Endor Labs, SecureLayer7, and Fatih Çelik, identified new sandbox-escape techniques in n8n's expression engine that allowed authenticated workflow editors to achieve host command execution. Their work showed the issue was a bypass of the earlier CVE-2025-68613 mitigation.
n8n patches CVE-2025-68613 in December 2025
n8n patched the earlier critical expression-evaluation flaw CVE-2025-68613 in December 2025. Later reporting said CVE-2026-25049 was discovered during follow-up work and bypassed protections added in that fix.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
feat: Added CVE-2026-25049 (n8n Expression Injection RCE) by Eren-Akdag · Pull Request #15245 · projectdiscovery/nuclei-templates · GitHub
github.com
Open sourcePopular n8n Platform Hit by Triple Threat of RCE Flaws
securityonline.info
Open sourceCritical n8n Vulnerability Enables System Command Execution Via Weaponized Workflows
cybersecuritynews.com
Open sourcen8n's latest critical flaws bypass December fix • The Register
go.theregister.com
Open sourceCVE-2026-25049: n8n Expression Sandbox Escape Enables RCE
socradar.io
Open sourceCritical N8n Vulnerability CVE-2026-25049 Enables RCE
thecyberexpress.com
Open sourceCritical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows
thehackernews.com
Open sourceCritical n8n flaws disclosed along with public exploits
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Remote Code Execution Vulnerabilities in n8n Workflow Automation Platform
A critical vulnerability, CVE-2025-68613, has been discovered in the n8n open-source workflow automation platform, allowing authenticated users with workflow creation or editing permissions to execute arbitrary system commands on the underlying server. This flaw, rated 9.9 on the CVSS scale, stems from improper sandboxing of JavaScript expressions within workflow definitions, enabling attackers to escape restrictions and gain system-level access. The vulnerability does not require administrative privileges, making it a significant risk in environments with multiple users or weak access controls, and could lead to full system compromise, data exfiltration, workflow sabotage, and lateral movement. Another related vulnerability, CVE-2025-68668, also enables sandbox escape in n8n, turning workflows into potential attack vectors. Both vulnerabilities highlight the urgent need for organizations using n8n to review user permissions, apply available patches, and implement strong access controls to mitigate the risk of exploitation. While there is no current evidence of active exploitation, the ease of attack and the platform's popularity make immediate remediation essential.
Mar 21, 2026
Multiple n8n Vulnerabilities Enable RCE, Sandbox Escapes, and Stored XSS
Security researchers and CVE disclosures reported multiple vulnerabilities in the *n8n* workflow automation platform that can enable **remote code execution (RCE)**, **sandbox escapes**, and **stored XSS** under various conditions. Akamai highlighted exploitation interest from **Zerobot** targeting n8n via **CVE-2025-68613**, a critical expression-evaluation sandboxing failure affecting versions `0.211.0` through `1.20.4` (and `1.21.1`/`1.22.0`), where a logged-in (non-admin) user could break out of the expression context to execute arbitrary code, read/write server files, steal environment variables (e.g., API keys), and establish persistence; a public PoC was noted as available. Subsequent advisories describe additional n8n flaws patched after the earlier expression-sandbox issue, generally requiring an authenticated user who can create/modify workflows, except where noted. **CVE-2026-27577** covers further expression-evaluation abuse leading to host command execution; **CVE-2026-27495** describes a **JavaScript Task Runner** sandbox escape that can lead to full host compromise when internal runners are used (enabled via `N8N_RUNNERS_ENABLED=true`), with external runner mode (`N8N_RUNNERS_MODE=external`) reducing blast radius; **CVE-2026-27497** describes potential RCE and arbitrary file write via the **Merge node** in SQL query mode; and **CVE-2026-27578** describes **stored XSS** across multiple nodes (e.g., Webhook/Form/Chat-related nodes) enabling session hijacking/account takeover when victims view affected pages. **CVE-2026-27493** adds a second-order, potentially **unauthenticated** expression injection path via **Form nodes** (triggered by crafted input beginning with `=` under specific workflow configurations) that can escalate to RCE only when chained with a separate sandbox escape. Fixes are reported in n8n `2.10.1` (and, depending on branch, `2.9.3` / `1.123.22`), with interim mitigations including restricting workflow edit permissions and disabling specific nodes via `NODES_EXCLUDE` (e.g., `n8n-nodes-base.webhook`, `n8n-nodes-base.merge`, `n8n-nodes-base.form`, `n8n-nodes-base.formTrigger`).
Mar 30, 2026
Authenticated Sandbox-Escape RCE Vulnerabilities in n8n Workflow Automation
JFrog researchers disclosed two vulnerabilities in the *n8n* workflow automation platform that allow an **authenticated** attacker to escape built-in sandboxes and achieve **remote code execution (RCE)** on the main n8n node, potentially leading to full instance compromise and access to sensitive connected systems (e.g., APIs, credentials, and internal tooling). The issues are tracked as **CVE-2026-1470** (CVSS **9.9**) and **CVE-2026-0863** (CVSS **8.5**); exploitation is possible even in configurations where n8n runs in “internal” execution mode, which n8n documentation already warns is risky for production due to weaker isolation between the application and task runner processes. Technical details indicate both flaws are sandbox escapes driven by language/runtime edge cases: **CVE-2026-1470** abuses JavaScript expression sandboxing (including `with`-statement handling) to resolve a constructor path to `Function` and execute arbitrary JavaScript, while **CVE-2026-0863** escapes the Python task executor sandbox via Python introspection and runtime behavior (notably Python 3.10+ `AttributeError.obj`) to regain access to restricted builtins/imports and execute OS commands. Recommended remediation is to upgrade n8n to fixed versions (for **CVE-2026-1470**: `1.123.17`, `2.4.5`, or `2.5.1`; for **CVE-2026-0863**: `1.123.14`, `2.3.5`, or `2.4.2`).
Mar 21, 2026