Cybersecurity

Cyber: Critical N8n Flaw Cve-2026-25049 Enables System Command Execution...

2026-02-05 0 views admin
Cyber: Critical N8n Flaw Cve-2026-25049 Enables System Command Execution...

A new, critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could result in the execution of arbitrary system commands.

The flaw, tracked as CVE-2026-25049 (CVSS score: 9.4), is the result of inadequate sanitization that bypasses safeguards put in place to address CVE-2025-68613 (CVSS score: 9.9), another critical defect that was patched by n8n in December 2025.

"Additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613," n8n's maintainers said in an advisory released Wednesday.

"An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n."

As many as 10 security researchers, including Fatih Çelik, who reported the original bug CVE-2025-68613, as well as Endor Labs' Cris Staicu, Pillar Security's Eilon Cohen, and SecureLayer7's Sandeep Kamble, have been acknowledged for discovering the shortcoming.

In a technical deep-dive expounding CVE-2025-68613 and CVE-2026-25049, Çelik said "they could be considered the same vulnerability, as the second one is just a bypass for the initial fix," adding how they allow an attacker to escape the n8n expression sandbox mechanism and get around security checks.

"An attacker creates a workflow with a publicly accessible webhook that has no authentication enabled," SecureLayer7 said. "By adding a single line of JavaScript using destructuring syntax, the workflow can be abused to execute system-level commands. Once exposed, anyone on the internet can trigger the webhook and run commands remotely."

Successful exploitation of the vulnerability could allow an attacker to compromise the server, steal credentials, and exfiltrate sensitive data, not to mention open up opportunities for threat actors to install persistent backdoors to facilitate long-term access.

The cybersecurity company also noted that the severity of the flaw significantly increases when it's paired with n8n's webhook feature, permitting an adversary to create a workflow using a public webhook and add a remote code execution payload to a node in the workflow, causing the webhook to be publicly accessible once the workflow is activated.

Pillar's report has described the issue as permitting an attacker to steal API keys, cloud provider keys, database passwords, OAuth tokens, and access the filesystem

Source: The Hacker News

🏷️ Tags

cybersecuritysecurityvulnerabilitycveattack

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views