CVE-2026-25049
Published: 04 February 2026
Summary
CVE-2026-25049 is a critical-severity Improper Control of Dynamically-Managed Code Resources (CWE-913) vulnerability in N8N N8N. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates CVE-2026-25049 by applying patches released in n8n versions 1.123.17 and 2.5.2 to eliminate the command execution vulnerability.
Information input validation prevents crafted expressions in workflow parameters from being interpreted as executable system commands.
Least privilege restricts workflow create/modify permissions to only essential users, minimizing the authenticated attack surface for this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote authenticated RCE via crafted workflow expressions in the n8n web platform, directly enabling exploitation of a public-facing application (T1190), Unix shell command execution (T1059.004), and privilege escalation from workflow modification rights to host system commands (T1068).
NVD Description
n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host…
more
running n8n. This issue has been patched in versions 1.123.17 and 2.5.2.
Deeper analysisAI
CVE-2026-25049 affects n8n, an open source workflow automation platform, in versions prior to 1.123.17 and 2.5.2. The vulnerability allows an authenticated user with permission to create or modify workflows to abuse crafted expressions in workflow parameters, resulting in unintended system command execution on the host running n8n. It is rated with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-913 (Improper Control of Dynamically-Managed Code Resources).
An attacker with low-privilege authenticated access, specifically permission to create or modify workflows, can exploit this remotely over the network with low complexity and no user interaction required. Successful exploitation enables arbitrary command execution on the n8n host system, potentially leading to full compromise including high confidentiality, integrity, and availability impacts due to the changed scope.
The issue has been addressed in n8n versions 1.123.17 and 2.5.2. Official mitigation details are available in the GitHub security advisory (GHSA-6cqr-8cfr-67f8) and related commits (7860896909b3d42993a36297f053d2b0e633235d and 936c06cfc1ad269a89e8ef7f8ac79c104436d54b), which practitioners should review for patch implementation guidance.
Details
- CWE(s)