CVE-2026-25049

n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d	Patch
https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b	Patch
https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:n8n:n8n::::::node.js::*
	cpe:2.3:a:n8n:n8n::::::node.js::*

History

05 Feb 2026, 20:22

Type	Values Removed	Values Added
First Time		N8n n8n N8n
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.9
CPE		cpe:2.3:a:n8n:n8n::::::node.js::*
References	~~() https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d -~~	() https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d - Patch
References	~~() https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b -~~	() https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b - Patch
References	~~() https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8 -~~	() https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8 - Patch, Vendor Advisory

04 Feb 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-04 17:16

Updated : 2026-02-05 20:22

NVD link : CVE-2026-25049

Mitre link : CVE-2026-25049

CVE.ORG link : CVE-2026-25049

JSON object : View

Products Affected

n8n

n8n

CWE

CWE-913

Improper Control of Dynamically-Managed Code Resources

{"id": "CVE-2026-25049", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-04T17:16:22.833", "references": [{"url": "https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-913"}]}], "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2."}], "lastModified": "2026-02-05T20:22:47.870", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8FB57226-E06A-4156-9A24-C320BCA37EB1", "versionEndExcluding": "1.123.17"}, {"criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "509670CC-912A-43CD-995A-26CDBBEF3D8F", "versionEndExcluding": "2.5.2", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}