Popular n8n Platform Hit by Triple Threat of RCE Flaws

The n8n workflow automation platform, a favorite among technical teams for its “fair-code” flexibility and AI capabilities, has been struck by a cluster of critical security vulnerabilities. Security researchers have disclosed three distinct flaws—CVE-2026-25056, CVE-2026-25049, and CVE-2026-25053—that allow authenticated attackers to completely take over the host server.

With CVSS scores climbing as high as 9.4, these vulnerabilities turn the tool’s greatest strength—its ability to execute complex logic—into its biggest liability.

The most recent discovery, CVE-2026-25053, targets the platform’s version control capabilities. The vulnerability lies within the Git node, a component used to manage code repositories.

According to the advisory, “Vulnerabilities in the Git node allowed authenticated users with permission to create or modify workflows to execute arbitrary system commands or read arbitrary files on the n8n host”.

This effectively allows an attacker with basic workflow permissions to break out of the application and execute commands directly on the server’s operating system. The flaw has been patched in versions 2.5.0 and 1.123.10.

Another critical flaw, CVE-2026-25056, exploits the Merge node, specifically its SQL Query mode. This vulnerability allows an attacker to write files anywhere they choose on the server.

The advisory warns that “A vulnerability in the Merge node’s SQL Query mode allowed authenticated users… to write arbitrary files to the n8n server’s filesystem potentially leading to remote code execution”.

By creating a malicious file—such as a web shell or a rogue configuration script—an attacker could execute code with the same privileges as the n8n process. This issue was resolved in versions 2.4.0 and 1.118.0.

The third flaw is CVE-2026-25049 (CVSS 9.3), a sophisticated flaw involving the platform’s expression evaluation engine.

“Additional exploits in the expression evaluation of n8n have been identified… An authenticated user with permission to create or modify workflows could abuse crafted expressions to execute arbitrary code,” the advisory writes.

The common thread across all three vulnerabilities is the requirement for “workflow creation and editing permissions.” While this implies an attacker needs a login, in many organizations, these permissions are broadly granted to developers and analysts.

The maintainers urge all users to upgrade immediately.

• For Git Node (CVE-2026-25053): Upgrade to 2.5.0 or 1.123.10.
• For Merge Node (CVE-2026-25056): Upgrade to 2.4.0 or 1.118.0.

For those who cannot patch right away, the advisory suggests a drastic workaround: “Limit workflow creation and editing permissions to fully trusted users only” and consider restricting access to the specific nodes (Git and Merge) involved.

Related Posts:

• n8n Under Fire: Critical CVSS 10.0 RCE Vulnerability Grants Total Server Access
• Public Exploit Released: Critical n8n Flaw CVE-2026-21858 Exposes 100k Servers
• Sandbox Shattered: Critical n8n Flaw (CVSS 9.9) Allows Remote Code Execution
• n8n Sandbox Escape: How CVE-2025-68668 Turns Workflows into Weapons
• CVSS 10.0 Alert: Critical n8n Flaw CVE-2026-21877 Grants Total Control