"The flaw, tracked as CVE-2026-25049 (CVSS score: 9.4), is the result of inadequate sanitization that bypasses safeguards put in place to address CVE-2025-68613 (CVSS score: 9.9), another critical defect that was patched by n8n in December 2025."
""An attacker creates a workflow with a publicly accessible webhook that has no authentication enabled," SecureLayer7 said. "By adding a single line of JavaScript using destructuring syntax, the workflow can be abused to execute system-level commands. Once exposed, anyone on the internet can trigger the webhook and run commands remotely. Successful exploitation of the vulnerability could allow an attacker to compromise the server, steal credentials,""
"The issue affects the following versions - <1.123.17 (Fixed in 1.123.17) <2.5.2 (Fixed in 2.5.2) As many as 10 security researchers, including Fatih Çelik, who reported the original bug CVE-2025-68613, as well as Endor Labs' Cris Staicu, Pillar Security's Eilon Cohen, and SecureLayer7's Sandeep Kamble, have been acknowledged for discovering the shortcoming. "An attacker creates a workflow with a publicly accessible webhook that has no authentication enabled,""
A critical vulnerability in n8n allows authenticated users with permission to create or modify workflows to execute arbitrary system commands through crafted expressions in workflow parameters. The flaw, tracked as CVE-2026-25049 (CVSS 9.4), bypasses previous sanitization applied for CVE-2025-68613 and affects versions prior to 1.123.17 and 2.5.2. The risk escalates when public, unauthenticated webhooks are used, enabling remote actors to trigger workflows and run commands. Successful exploitation can lead to server compromise, credential theft, data exfiltration, and installation of persistent backdoors. Multiple security researchers contributed to identifying the issue and fixes are available.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]