CVE-2026-25115
Published: 04 February 2026
Summary
CVE-2026-25115 is a critical-severity Protection Mechanism Failure (CWE-693) vulnerability in N8N N8N. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of identified software flaws, directly addressing the Python sandbox escape vulnerability in n8n by mandating patching to version 2.4.8.
Mandates maintaining separate execution domains for processes, directly preventing breakout from the Python Code node's sandbox environment.
Limits privileges of the n8n process to the minimum necessary, reducing the impact of arbitrary code execution even if sandbox escape occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape in Python Code node directly enables arbitrary Python execution (T1059.006) by authenticated remote users; scope-changing RCE from low privileges maps to exploitation for privilege escalation (T1068) and public-facing application exploitation (T1190).
NVD Description
n8n is an open source workflow automation platform. Prior to version 2.4.8, a vulnerability in the Python Code node allows authenticated users to break out of the Python sandbox environment and execute code outside the intended security boundary. This issue…
more
has been patched in version 2.4.8.
Deeper analysisAI
CVE-2026-25115 is a critical vulnerability (CVSS 9.9, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) affecting n8n, an open-source workflow automation platform. Prior to version 2.4.8, the Python Code node contains a flaw (CWE-693) that enables breakout from the intended Python sandbox environment, allowing execution of code beyond the security boundary.
Authenticated users with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants attackers the ability to execute arbitrary code with high impact on confidentiality, integrity, and availability, particularly due to the changed scope (S:C).
The n8n security advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-8398-gmmx-564h confirms the issue has been addressed in version 2.4.8, recommending immediate upgrades for affected installations.
Details
- CWE(s)