CVE-2026-25055
Published: 04 February 2026
Summary
CVE-2026-25055 is a high-severity Path Traversal (CWE-22) vulnerability in N8N N8N. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of file metadata and paths to block path traversal in uploaded files processed by the SSH node.
Limits permitted actions without authentication, mitigating the prerequisite of unauthenticated file upload endpoints exploited in this vulnerability.
Enforces least privilege on processes like the SSH node, restricting writes to arbitrary or sensitive locations on remote systems even if traversal occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in n8n's unauthenticated file upload workflows enables exploitation of a public-facing application to write arbitrary files to remote systems via SSH node, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being…
more
written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0.
Deeper analysisAI
CVE-2026-25055 is a path traversal vulnerability (CWE-22) in n8n, an open source workflow automation platform. The issue affects versions prior to 1.123.12 and 2.4.0, specifically in workflows that process uploaded files and transfer them to remote servers using the SSH node. Without proper validation of file metadata, this flaw allows files to be written to arbitrary locations on the target remote systems.
An unauthenticated attacker can exploit this vulnerability if they have knowledge of existing workflows that handle file uploads and if the associated file upload endpoints are unauthenticated. By crafting malicious file uploads, the attacker can direct files to unintended paths on remote systems via the SSH node, potentially achieving remote code execution on those systems. The attack requires high complexity, as indicated by the CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
The n8n security advisory recommends upgrading to versions 1.123.12 or 2.4.0, where the issue has been patched by adding metadata validation for uploaded files processed by the SSH node. Security practitioners should review deployed n8n instances for vulnerable workflows, ensure file upload endpoints require authentication where possible, and monitor for unauthorized file transfers.
Details
- CWE(s)