CVE-2026-25056
Published: 04 February 2026
Summary
CVE-2026-25056 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in N8N N8N. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through patching to versions 1.118.0 or 2.4.0, eliminating the arbitrary file write flaw in the Merge node's SQL Query mode.
Requires validation of inputs to the Merge node's SQL Query mode to prevent unrestricted uploads of dangerous file types leading to filesystem writes and RCE.
Enforces least privilege to restrict workflow creation and modification permissions, limiting low-privileged authenticated users from exploiting the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the n8n web application allows low-privileged authenticated remote users to write arbitrary files leading to RCE, directly enabling exploitation of a public-facing application (T1190) and exploitation for privilege escalation (T1068).
NVD Description
n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n…
more
server's filesystem potentially leading to remote code execution. This issue has been patched in versions 1.118.0 and 2.4.0.
Deeper analysisAI
CVE-2026-25056 is a high-severity vulnerability in n8n, an open source workflow automation platform. In versions prior to 1.118.0 and 2.4.0, the Merge node's SQL Query mode contains a flaw that enables authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server's filesystem. This can potentially lead to remote code execution, as classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-693 (Protection Mechanism Failure).
The vulnerability can be exploited by low-privileged authenticated users over the network with low attack complexity and no user interaction required. Exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful attacks hinge on the attacker's ability to manipulate workflows, turning legitimate workflow editing permissions into a path for filesystem manipulation and code execution.
n8n has addressed this issue in versions 1.118.0 and 2.4.0. Security practitioners should upgrade to these patched releases immediately. Additional details are available in the official advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm.
Details
- CWE(s)