Ethical Hacking News
A critical vulnerability in n8n workflow automation platform has been discovered, enabling system command execution via malicious workflows. Learn more about the issue, its causes, and how to mitigate it to ensure the security of your workflows.
n8n workflow automation platform hit with critical security vulnerability CVE-2026-25049. Vulnerability enables system command execution via malicious workflows. Inadequate sanitization mechanisms allow attackers to bypass security controls. Attackers can craft malicious expressions at runtime that bypass sanitization check. Users with publicly accessible webhooks and no authentication enabled are at risk. Mitigation involves restricting workflow creation and editing permissions, deploying in a hardened environment, and restricted OS privileges.
The n8n workflow automation platform has been hit with a critical security vulnerability, CVE-2026-25049, which enables system command execution via malicious workflows. This flaw was discovered by multiple security researchers, including Fatih Çelik, who initially reported the original bug CVE-2025-68613, and others from companies such as SecureLayer7, Pillar Security, and Endor Labs.
According to n8n's maintainers, the vulnerability arises from inadequate sanitization mechanisms that allow attackers to bypass security controls. The issue was identified after it was determined that additional exploits in the expression evaluation of n8n had been patched following CVE-2025-68613. However, it appears that these patches did not address the root cause of the problem.
The vulnerability is said to be the result of a mismatch between TypeScript's compile-time type system and JavaScript's runtime behavior. This mismatch allows attackers to craft malicious expressions at runtime that bypass the sanitization check entirely. In other words, while TypeScript enforces that a property should be a string at compile time, this enforcement is limited to values that are present in the code during compilation.
As a result, n8n users who have workflows with publicly accessible webhooks and have no authentication enabled can be exploited by attackers who create a workflow using a single line of JavaScript using destructuring syntax. This allows the attacker to execute system-level commands remotely, potentially leading to serious security consequences such as stealing credentials, exfiltrating sensitive data, and installing persistent backdoors.
The severity of the flaw is increased when it's paired with n8n's webhook feature, which permits an adversary to create a workflow using a public webhook and add a remote code execution payload to a node in the workflow. Once the workflow is activated, the webhook becomes publicly accessible, allowing attackers to trigger system commands on the host running n8n.
To mitigate this vulnerability, users are advised to restrict workflow creation and editing permissions to fully trusted users only. Additionally, deploying n8n in a hardened environment with restricted operating system privileges and network access can also help minimize the impact of potential exploitation.
The discovery of this critical vulnerability highlights the importance of multiple layers of validation and sanitization in security systems. Even if one layer appears strong, additional runtime checks are necessary when processing untrusted input. This article aims to provide a detailed overview of the issue, its causes, and its implications, as well as offer guidance on how users can protect themselves against this vulnerability.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-in-n8n-Workflow-Automation-Platform-Enables-System-Command-Execution-via-Malicious-Workflows-ehn.shtml
https://thehackernews.com/2026/02/critical-n8n-flaw-cve-2026-25049.html
https://nvd.nist.gov/vuln/detail/CVE-2026-25049
https://www.cvedetails.com/cve/CVE-2026-25049/
https://nvd.nist.gov/vuln/detail/CVE-2025-68613
https://www.cvedetails.com/cve/CVE-2025-68613/
Published: Thu Feb 5 00:35:45 2026 by llama3.2 3B Q4_K_M
