N8n security alert CVE-2026-25049 allows remote execution of commands and escapes sandbox

The security community has detected a serious failure in n8n, the workflow automation platform, which allows remote execution of commands on the server where the application runs if it is successfully exploited. The problem, recorded as CVE-2026-25049 and with a high score in the CVSS system (9.4), it is an evasion of sanitation controls in the evaluation of expressions that partially reverses a correction applied last year for vulnerability CVE-2025-68613 (CVSS 9.9).

N8n maintainers published a notice in GitHub that an authenticated user with permissions to create or edit flows can inject expressions specially built in flow parameters that end up escaping from the sandbox mechanism and causing the execution of host system commands. The official explanation and the corrected versions in the N8n safety notice in GitHub.

From the technical point of view, the root of the problem is the difference between the checks TypeScript does in compilation time and what happens in running time with JavaScript. As several research teams have explained, including Endor Labs, TypeScript can help identify that certain property should be a chain in the source code, but those guarantees disappear when performing values that an attacker dynamically introduces. Taking advantage of this, you can pass unexpected values (objects, arrays, symbols, etc.) that mockery the sanitation functions and allow you to leave the safe.

Independent researchers have published technical analyses that illustrate how evasion is achieved and how steps are chained to achieve remote execution. The outreach work includes a detailed breakdown of the techniques used and practical examples; one of these detailed analyses can be found in Fatih Çelik's research on the sequence of failures and bypass: n8n RCEs: A Tale of 4 Acts.

The risk is increased when combined with the functionality of n8n webhooks. If an attacker creates a flow with a public and unauthenticated webhold, you can insert the charge that causes command execution and, once the flow is activated, anyone who knows the endpoint can shoot it and run code on the server. Equipment like SecureLayer7 and Pillar Security have detailed impact scenarios that include API key theft, access to cloud secrets, lateral movement to connected accounts and taking control of workflows linked to artificial intelligence services.

n8n has released corrections in the affected branches; the versions containing the patches are 1.123.17 for the 1.x series and 2.5.2 for the 2.xseries. Update to a parched version should be the number one priority for any vulnerable deployment. If it is not possible to apply the update immediately, it is appropriate to take compensatory measures to reduce exposure: limit who can create and edit flows to a small group of trusted users, disable or protect public websites, and run n8n in environments with restricted system privileges and network rules to minimize damage in case of intrusion.

It is also important to audit existing flows and activity records to detect suspicious changes or newly created public endpoints. In systems that may have been compromised, the credentials and keys that have been available in the affected environment must be rotated and the access reviewed. Companies that depend on critical integrations and automations should prioritize this review and the parking campaign.

The chain of discovery of this vulnerability included contributions from several security teams and analysts, including Fatih Çelik, Cris Staicu de Endor Labs, Eilon Cohen de Pillar Security and Sandeep Kamble de SequreLayer7; N8n maintainers have publicly recognized them for their reports.

This episode highlights a classic but often ignored lesson: static checks of the type do not replace robust validations in running time when handling unreliable inputs. Organizations like OWASP have been insisting on the need for multiple layers of defence and the strict validation of inputs for years; general documentation on validation and entry control risks can be consulted in resources such as OWASP. To better understand why TypeScript does not avoid this type of exploits, the TypeScript project's own guide offers context on how your type system acts in compilation time but does not persist in the final bundle: TypeScript documentation.

In short, if you use n8n in production: first, update the parcheed versions as soon as possible. Then, it reviews permissions and exposure of webhooks, hardens the implementation environment and performs an audit of possible commitment indicators. If you need more technical information, the analysis of researchers and the notice of n8n are useful public resources to understand the scope and the means of operation: GitHub's notice, deep-dive de Fatih Çelik and the reports of the Endor Labs, SecureLayer7 and Pillar Security.