Security alert: CVE-2026-25049 in n8n allows you to escape from the sandbox and take control of the server

If you manage automation with n8n - the open source platform that allows you to channel applications and processes through workflows - you should pay attention: several recent investigations have discovered serious faults in the isolated that runs server-side code, which has allowed authenticated attackers to escape the sandbox and run arbitrary commands in the host.

Weakness, collectively recorded as CVE-2026-25049, affects the way n8n sanitizes and evaluates JavaScript fragments that can include users within workflows. Independent research teams - including Pillar Security, Endor Labs and SecureLayer7- have shown how, with permission to create or modify workflows, an attacker can take advantage of these failures to take full control of the server where it runs n8n.

To understand why this is serious it is enough to think about what n8n stores and what it usually connects with: API credentials, tokens OAuth, keys and flows that interact with cloud services or with IA models. According to technical descriptions, the explosion allows from running instructions on the victim machine to reading sensitive files, extracting credentials and pivoting into connected accounts and resources, including hijacking IA flows by intercepting or altering prompts and responses.

At the heart of the problem is the "sandboxing" strategy based on code syntax analysis (AST). The researchers explain that the checks assumed certain typeScript-type restrictions, but these guarantees were not applied during the execution time, resulting in a type confusion condition that allows the code to be avoided. In practical terms, this opens the door to build expressions that, when evaluated on the server, recover global objects from Node.js or use the Function builder to run arbitrary code.

The ruling did not appear out of nowhere: the Pillar Security research team reported an escape chain on December 21, 2025 and n8n implemented an initial correction shortly after, but the researchers showed that the solution did not close all the vectors. After further analysis, alternative bypasses were found and n8n developers confirmed new evasions before publishing later patches. The full analysis and concept testing is available in the technical reports of the Pillar Security, Endor Labs and SecureLayer7.

n8n has been publishing patches and mitigations; it is key to review the related previous advisory and safety note with temporary mitigation to confirm which versions contain the final corrections. In addition, equipment that cannot update immediately should apply the interim measures suggested by the project and restrict who can create or edit workflows within the facility.

The threat is greater in multi-tenant deployments: if an attacker is able to access internal cluster services, he could potentially climb and access data from other tenants. In addition, the attention that has been given to the malicious community is already reflected in mass and survey scans directed at exposed instances; for example, GreyNoise has documented survey activity against vulnerable endpoints in recent campaigns, which shows interest in entry points that facilitate further control of the compromised systems ( GreyNoise report).

If you administer n8n, the immediate priority is to check if your installation is in a parched version and, if not, update as soon as possible. Security and operations teams should also rotate the n8n encryption key and all the credentials stored on the platform, review workflows for suspicious expressions and limit the capacity to create / edit workflows to fully trusted users. In the n8n safety repository you will find instructions on temporary mitigation for those who cannot apply the patch immediately: temporary mitigation in GitHub.

From the technical point of view, the lesson is clear: allowing users to define executable code fragments on the server always requires a rigid sandbox and checks in running time, not only on the types or on the surface of the code. Subtle errors in sanitization logic, especially in environments that use static typing as a help to the developer, can be used if the implementation of the runtime does not impose the same guarantees.

For now, there are no confirmed public reports of attacks in production exploiting this particular vulnerability, but the visibility of the problem and the concept tests published by researchers increase the risk. Maintaining up-to-date platforms, harden permissions and rotate secrets are measures that reduce exposure and response time to possible incidents.

If you need to consult the original research, technical reports and concept evidence are available in the publications of Pillar Security, Endor Labs and SecureLayer7, and the official information and mitigations are published in their repository of GitHub ( n8n advisories).

Conclusion: If your organization depends on n8n, act now: confirm the version, apply patches, break keys and reduce who can edit workflows. The combination of code execution on the server and poor sanitization makes an apparently benign permission - create or edit a workflow - into a direct door to the system.