CVE-2026-25049 Scanner (Version Based)

n8n is an open source workflow automation platform used to design, execute, and manage automated workflows across applications and services. It is commonly deployed by developers, DevOps teams, and organizations to orchestrate integrations between APIs, databases, and internal systems. n8n is used both in self-hosted environments and enterprise infrastructures to automate repetitive operational tasks. The platform allows users to visually build workflows using nodes and expressions. Its flexibility makes it popular in automation-heavy environments such as CI/CD pipelines, data processing, and monitoring systems. Due to its deep integration with system resources, security of workflow execution is critical.

The detected vulnerability is a Remote Code Execution issue caused by unsafe handling of expressions within workflow parameters. Authenticated users with permission to create or modify workflows can abuse crafted expressions to bypass sandbox restrictions. This vulnerability allows attackers to escape the intended expression evaluation context. Once bypassed, the attacker can execute arbitrary system-level commands on the host running n8n. The issue is especially severe in shared or multi-user n8n environments. It represents a critical risk due to the potential for full server compromise.

The vulnerability arises from insufficient runtime validation in n8n’s expression sanitization logic. While TypeScript enforces type constraints at compile time, these checks are not reliably enforced at runtime. An attacker can inject non-string values into expression parameters to bypass security controls. The vulnerable behavior occurs during expression evaluation in workflows that process user-controlled input. Although the scan does not actively exploit the issue, it identifies vulnerable versions by extracting the deployed n8n version from exposed metadata. Systems running affected versions are considered vulnerable regardless of workflow configuration.

Successful exploitation may allow attackers to execute arbitrary operating system commands with the privileges of the n8n service. This can lead to disclosure of sensitive credentials, API keys, and environment variables. Attackers may access the filesystem, modify workflows, or install persistent backdoors. In cloud or containerized environments, this can enable lateral movement to other services. Long-term compromise and data exfiltration are possible outcomes. The overall impact is a complete loss of confidentiality, integrity, and availability.

REFERENCES

• https://github.com/advisories/GHSA-6cqr-8cfr-67f8
• https://nvd.nist.gov/vuln/detail/CVE-2026-25049
• https://thehackernews.com/2026/02/critical-n8n-flaw-cve-2026-25049.html