"Multiple critical vulnerabilities in the popular n8n open-source workflow automation platform allow escaping the confines of the environment and taking complete control of the host server. Collectively tracked as CVE-2026-25049, the issues can be exploited by any authenticated user who can create or edit workflows on the platform to perform unrestricted remote code execution on the n8n server. Researchers at several cybersecurity companies reported the problems, which stem from n8n's sanitization mechanism and bypass the patch for CVE-2025-68613, another critical flaw addressed on December 20."
"Pillar's report describes the problem as incomplete AST-based sandboxing and explains that it arises from n8n's weak sandboxing of user-written server-side JavaScript expressions in workflows. On December 21, 2025, they demonstrated a chained bypass to the n8n team, allowing sandbox escape and access to the Node.js global object, leading to RCE. A fix was implemented two days later, but upon further analysis, Pillar found it incomplete, and a second escape via a different mechanism using equivalent operations remained possible. n8n developers confirmed the bypass on December 3"
Multiple critical vulnerabilities (CVE-2026-25049) in n8n allow authenticated workflow creators to execute unrestricted remote code on the host server. Exploitation enables full instance compromise, arbitrary system command execution, and theft of stored credentials, API keys, OAuth tokens, and sensitive configuration files. Attackers can access filesystems and internal systems, pivot to connected cloud accounts, and hijack AI workflows by intercepting prompts or modifying responses. The root cause is incomplete AST-based sandboxing and weak sanitization of user-written server-side JavaScript expressions in workflows. An initial fix was applied but subsequent analysis found the mitigation incomplete and additional sandbox escapes possible.
Read at BleepingComputer
Unable to calculate read time
Collection
[
|
...
]