CVE-2026-25049 - Vulnerability Details - OpenCVE

n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d
https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b
https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8

History

Wed, 04 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2.
Title		n8n Has an Expression Escape Vulnerability Leading to RCE
Weaknesses		CWE-913
References		https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8
Metrics		cvssV4_0 `{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-04T16:46:31.124Z

Updated: 2026-02-04T16:46:31.124Z

Reserved: 2026-01-28T14:50:47.888Z

Link: CVE-2026-25049

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-02-04T17:16:22.833

Modified: 2026-02-04T17:16:22.833

Link: CVE-2026-25049

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25049", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-28T14:50:47.888Z", "datePublished": "2026-02-04T16:46:31.124Z", "dateUpdated": "2026-02-04T16:46:31.124Z"}, "containers": {"cna": {"title": "n8n Has an Expression Escape Vulnerability Leading to RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-913", "lang": "en", "description": "CWE-913: Improper Control of Dynamically-Managed Code Resources", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8"}, {"name": "https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d", "tags": ["x_refsource_MISC"], "url": "https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d"}, {"name": "https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b", "tags": ["x_refsource_MISC"], "url": "https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b"}], "affected": [{"vendor": "n8n-io", "product": "n8n", "versions": [{"version": "< 1.123.17", "status": "affected"}, {"version": "< 2.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T16:46:31.124Z"}, "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2."}], "source": {"advisory": "GHSA-6cqr-8cfr-67f8", "discovery": "UNKNOWN"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2."}], "id": "CVE-2026-25049", "lastModified": "2026-02-04T17:16:22.833", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-04T17:16:22.833", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d"}, {"source": "security-advisories@github.com", "url": "https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b"}, {"source": "security-advisories@github.com", "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-913"}], "source": "security-advisories@github.com", "type": "Primary"}]}