Cyber Resilience

CVE-2025-62726

High

Published: 30 October 2025

Published
30 October 2025
Modified
31 December 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62726 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in N8N N8N. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-62726 is a remote code execution vulnerability (CWE-829) in the Git Node component of n8n, an open source workflow automation platform. It affects both Cloud and Self-Hosted versions prior to 1.113.0. The flaw occurs when the Git Node clones a remote repository containing a malicious pre-commit hook, and a subsequent Commit operation triggers execution of that hook, allowing arbitrary code to run within the n8n environment.

Attackers with low privileges, such as authenticated users (PR:L), can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). By hosting a malicious Git repository with a pre-commit hook, an attacker can entice a victim to clone it via the Git Node and then perform a commit, resulting in arbitrary code execution. This grants high confidentiality, integrity, and availability impact (CVSS 8.8), potentially compromising the n8n system, connected credentials, and workflows.

The vulnerability is addressed in n8n version 1.113.0. Mitigation details are available in the GitHub security advisory (GHSA-xgp7-7qjq-vg47), the fixing pull request (n8n-io/n8n/pull/19559), and the associated commit (n8n-io/n8n/commit/5bf3db5ba84d3195bbe11bbd3c62f7086e090997).

EU & UK References

Vulnerability details

n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing…

more

a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution. This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. This vulnerability is fixed in 1.113.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables remote code execution by exploiting insecure execution of untrusted pre-commit hooks from remote Git repositories in the public-facing n8n workflow platform's Git Node.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21877Same product: N8N N8N
CVE-2026-25055Same product: N8N N8N
CVE-2025-68613Same product: N8N N8N
CVE-2026-42232Same product: N8N N8N
CVE-2026-1470Same product: N8N N8N
CVE-2026-27577Same product: N8N N8N
CVE-2026-27498Same product: N8N N8N
CVE-2026-42231Same product: N8N N8N
CVE-2026-27493Same product: N8N N8N
CVE-2026-21893Same product: N8N N8N

Affected Assets

n8n
n8n
≤ 1.113.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of the specific RCE flaw in n8n's Git Node that executes malicious pre-commit hooks, as fixed in version 1.113.0.

preventdetect

Deploys malicious code protection mechanisms to scan cloned Git repositories and block execution of malicious pre-commit hooks within the n8n environment.

detect

Conducts vulnerability scanning to identify the presence of CVE-2025-62726 in n8n Git Node, enabling prompt detection and remediation.

References