Full Report
Patch meant to close a severe expression bug fails to stop attackers with workflow access Multiple newly disclosed bugs in the popular workflow automation tool n8n could allow attackers to hijack servers, steal credentials, and quietly disrupt AI-driven business processes.…
Analysis Summary
# Vulnerability: Persistent Expression Evaluation Flaws in n8n Leading to RCE
## CVE Details
- CVE ID: CVE-2026-25049
- CVSS Score: 9.4 (Critical)
- CWE: Injection (Inferred, related to expression evaluation)
## Affected Systems
- Products: n8n (Workflow automation tool)
- Versions: Not explicitly specified, but affecting versions subsequent to the fix for CVE-2025-68613. Users are urged to update immediately.
- Configurations: Users with permission to create or modify workflows. Potentially affects n8n Cloud multi-tenant architecture.
## Vulnerability Description
Multiple vulnerabilities exist in n8n's expression evaluation mechanism that were not fully mitigated by a patch addressing the prior severe flaw, CVE-2025-68613. Authenticated users who can create or modify workflows can craft malicious expressions within workflow parameters. This allows them to bypass existing safeguards and achieve unintended system command execution (RCE) on the host machine running n8n. Successful exploitation grants full server control, potentially exposing stored credentials, API keys (e.g., OpenAI, Anthropic, AWS), and allowing real-time interception/modification of AI-driven processes.
## Exploitation
- Status: PoC available (Demonstrated via public webhook leveraging system command execution through JavaScript destructuring.)
- Complexity: Low (Requires authenticated user with workflow creation/modification permission.)
- Attack Vector: Network (Exploitable via hitting a crafted public webhook endpoint.)
## Impact
- Confidentiality: High (Steal credentials, API keys, access other tenants in Cloud environment.)
- Integrity: High (Modify or intercept AI interactions, execute arbitrary system commands.)
- Availability: Medium (Potential service disruption from server takeover.)
## Remediation
### Patches
- Patches addressing CVE-2026-25049 have been released. Customers are urged to update immediately to the patched version.
(Specific patched version numbers are not provided in the source text.)
### Workarounds
1. Review user permissions: Limit the ability to create or modify workflows to only trusted personnel.
2. Rotate sensitive credentials: Immediately rotate API keys and tokens stored within automation pipelines, especially those connected to cloud or AI services.
3. Review existing workflows for suspicious expressions.
## Detection
- Indicators of Compromise: Unexplained system command execution originating from the n8n host processes, or unexpected outbound network activity tied to workflow credentials.
- Detection methods and tools: Monitor host-level process execution originating from the n8n application process for anomalous system calls. Audit workflow creation/modification logs for complex or suspicious expression inputs immediately prior to any security incident.
## References
- Vendor advisory (related): hxxps://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8
- Prior CVE: hxxps://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp
- Research Disclosure: hxxps://blog.securelayer7.net/cve-2026-25049/