New critical vulnerabilities in n8n workflow automation platform allow authenticated users to execute system commands and steal credentials, bypassing December's security patch.
The popular workflow automation platform n8n is facing another wave of critical security vulnerabilities that could allow attackers to hijack servers, steal credentials, and disrupt AI-driven business processes. The newly disclosed flaws, tracked as CVE-2026-25049, have a CVSS rating of 9.4 and stem from weaknesses in how n8n sanitizes expressions inside workflows.
These vulnerabilities are particularly concerning because they bypass a December 2025 fix (CVE-2025-68613) that was meant to address a similar severe expression bug. Security researchers at Pillar Security, who disclosed the new vulnerabilities alongside other researchers, warn that the real-world impact could be even worse than the CVSS score suggests.
The Vulnerability Explained
The core issue lies in n8n's expression evaluation system. Authenticated users with permission to create or modify workflows can craft malicious expressions that trigger unintended command execution on the host system. This means that if an attacker gains access to create workflows in n8n, they can essentially take over the entire server.
Eilon Cohen, AI security researcher at Pillar Security, explained the severity: "What makes these vulnerabilities particularly dangerous is the combination of ease of exploitation and the high-value targets they expose. If you can create a workflow in n8n, you can own the server."
For attackers, this access translates to control over sensitive credentials including OpenAI keys, Anthropic credentials, AWS accounts, and the ability to intercept or modify AI interactions in real time – all while the workflows continue functioning normally.
Real-World Exploitation
Researchers at SecureLayer 7 demonstrated how relatively simple it is to exploit these vulnerabilities. In one proof-of-concept example, they showed how an attacker could set up a workflow using a public webhook with no authentication. By inserting a short line of JavaScript using destructuring, they tricked n8n into running system-level commands.
Once the webhook is live, anyone who knows the URL could hit the endpoint and execute commands on the server hosting it. This low barrier to exploitation makes the vulnerabilities particularly dangerous in real-world scenarios.
Broader Implications
The risks extend beyond just n8n's self-hosted version. Users of n8n Cloud, the hosted platform, face additional concerns due to the service's multi-tenant architecture. Pillar Security warns that a single malicious user could potentially access other customers' data if the flaw is successfully exploited in the cloud environment.
This vulnerability highlights a growing trend in cybersecurity: as automation platforms take on larger roles within organizations, they become increasingly attractive targets. Tools like n8n often store credentials that grant access to SaaS applications, internal systems, and AI services. A breach in one of these platforms can quickly spill over into other environments.
Detection Challenges
One of the most insidious aspects of these vulnerabilities is how difficult they can be to detect. Because automation tools are tightly integrated into daily operations, breaches can fly under the radar. Workflows continue to run as usual, dashboards show everything is functioning normally, and attackers can extract sensitive data without drawing much attention.
This stealth capability makes these vulnerabilities particularly dangerous for organizations that rely heavily on automation for their business processes.
Mitigation and Response
n8n has released patches addressing CVE-2026-25049 and is urging customers to update immediately. However, security teams are being advised to take additional steps beyond just applying the patch:
- Review user permissions and restrict workflow creation/modification capabilities
- Audit existing workflows for suspicious expressions
- Rotate sensitive credentials in automation pipelines, especially those connected to cloud or AI services
- Monitor for unusual workflow activity or system command executions
The disclosure of these vulnerabilities comes just weeks after another maximum-severity n8n bug dubbed "ni8mare" exposed an estimated 100,000 automation servers to takeover through an unauthenticated remote code execution flaw. This pattern of recurring critical vulnerabilities underscores how frequently the platform has landed in defenders' patch queues lately.
As organizations continue to adopt workflow automation tools and integrate them with AI services, the security implications become increasingly significant. The n8n vulnerabilities serve as a stark reminder that the convenience of automation must be balanced with robust security measures, particularly when these tools have access to sensitive credentials and critical business processes.
Comments
Please log in or register to join the discussion