n8n security woes roll on as new critical flaws bypass December fix
(2026/02/05)
- Reference: 1770291493
- News link: https://www.theregister.co.uk/2026/02/05/n8n_security_woes_roll_on/
- Source link:
Multiple newly disclosed bugs in the popular workflow automation tool n8n could allow attackers to hijack servers, steal credentials, and quietly disrupt AI-driven business processes.
The vulnerabilities, collectively tracked as CVE-2026-25049, stem from weaknesses in how n8n sanitizes expressions inside workflows and could enable authenticated users to smuggle malicious code past safeguards introduced to fix CVE-2025-68613, a December 2025 vulnerability that already carried a near-perfect severity score.
The new flaws carry a CVSS rating of 9.4, though some researchers argue the real-world impact could be even worse.
[1]
n8n – an open source automation platform widely used to stitch together cloud apps, internal services, and increasingly AI-driven workflows – confirmed the issue [2]in a security advisory published Wednesday . Maintainers warned that users with permission to create or modify workflows could craft expressions that trigger unintended command execution on the host system.
[3]
[4]
"Additional exploits in the expression evaluation of n8n have been identified and patched following [5]CVE-2025-68613 ," n8n's maintainers said. "An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n."
The disclosure lands just weeks [6]after another maximum-severity n8n bug dubbed "ni8mare" exposed an estimated 100,000 automation servers to takeover through an unauthenticated remote code execution flaw that allowed attackers to seize vulnerable systems without logging in, underscoring how frequently the platform has landed in defenders' patch queues lately.
[7]
Security outfit Pillar Security, which disclosed the new vulnerabilities alongside other researchers, told The Register that the vulnerabilities are particularly damaging because of the sensitive material automation platforms typically handle. The vendor warned that successful exploitation could hand attackers full control of vulnerable servers. That access could also spill out stored workflow credentials, including API keys and tokens used to connect to cloud and AI services.
"What makes these vulnerabilities particularly dangerous is the combination of ease of exploitation and the high-value targets they expose," said Eilon Cohen, AI security researcher at Pillar Security. "If you can create a workflow in n8n, you can own the server.
"For attackers, this means access to OpenAI keys, Anthropic credentials, AWS accounts, and the ability to intercept or modify AI interactions in real time – all while the workflows continue functioning normally."
[8]
The risks may be even broader for users of n8n Cloud, the hosted version of the platform. According to Pillar, the service's multi-tenant architecture could allow a single malicious user to access other customers' data if the flaw is successfully exploited.
[9]VS Code for Linux may be secretly hoarding trashed files
[10]Critical React Native Metro dev server bug under attack as researchers scream into the void
[11]Russia-linked APT28 attackers already abusing new Microsoft Office zero-day
[12]How one developer used Claude to build a memory-safe extension of C
Researchers at SecureLayer 7, who also discovered the vulnerability, [13]said exploitation requires relatively little effort. In one proof-of-concept example, researchers demonstrated how an attacker could set up a workflow using a public webhook with no authentication. By inserting a short line of JavaScript using destructuring, they tricked n8n into running commands at the system level. Once that webhook is live, anyone who knows the URL could hit the endpoint and execute commands on the server hosting it.
The disclosure highlights how automation platforms are becoming increasingly attractive targets as they take on a larger role within organizations. Tools such as n8n often store credentials that grant access to SaaS apps, internal systems, and AI services, so if attackers breach one of these platforms, access can quickly spill over into other environments.
Patches addressing CVE-2026-25049 have now been released, and n8n is urging customers to update immediately. Security teams are being told to take a closer look at user permissions, review existing workflows, and rotate sensitive credentials in automation pipelines, particularly those connected to cloud or AI services.
Because automation tools are tightly integrated into daily operations, breaches can be hard to detect. Workflows continue to run as usual, dashboards show everything is fine, and attackers can extract sensitive data without drawing much attention. ®
Get our [14]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYTMt8f-Pt9WePe5SnZXawAAAA8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYTMt8f-Pt9WePe5SnZXawAAAA8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYTMt8f-Pt9WePe5SnZXawAAAA8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp
[6] https://www.theregister.com/2026/01/08/n8n_rce_bug/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYTMt8f-Pt9WePe5SnZXawAAAA8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYTMt8f-Pt9WePe5SnZXawAAAA8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2026/02/04/vs_code_for_linux_trash_fail/
[10] https://www.theregister.com/2026/02/03/critical_react_native_metro_server/
[11] https://www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/
[12] https://www.theregister.com/2026/01/26/trapc_claude_c_memory_safe_robin_rowe/
[13] https://blog.securelayer7.net/cve-2026-25049/
[14] https://whitepapers.theregister.com/
The vulnerabilities, collectively tracked as CVE-2026-25049, stem from weaknesses in how n8n sanitizes expressions inside workflows and could enable authenticated users to smuggle malicious code past safeguards introduced to fix CVE-2025-68613, a December 2025 vulnerability that already carried a near-perfect severity score.
The new flaws carry a CVSS rating of 9.4, though some researchers argue the real-world impact could be even worse.
[1]
n8n – an open source automation platform widely used to stitch together cloud apps, internal services, and increasingly AI-driven workflows – confirmed the issue [2]in a security advisory published Wednesday . Maintainers warned that users with permission to create or modify workflows could craft expressions that trigger unintended command execution on the host system.
[3]
[4]
"Additional exploits in the expression evaluation of n8n have been identified and patched following [5]CVE-2025-68613 ," n8n's maintainers said. "An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n."
The disclosure lands just weeks [6]after another maximum-severity n8n bug dubbed "ni8mare" exposed an estimated 100,000 automation servers to takeover through an unauthenticated remote code execution flaw that allowed attackers to seize vulnerable systems without logging in, underscoring how frequently the platform has landed in defenders' patch queues lately.
[7]
Security outfit Pillar Security, which disclosed the new vulnerabilities alongside other researchers, told The Register that the vulnerabilities are particularly damaging because of the sensitive material automation platforms typically handle. The vendor warned that successful exploitation could hand attackers full control of vulnerable servers. That access could also spill out stored workflow credentials, including API keys and tokens used to connect to cloud and AI services.
"What makes these vulnerabilities particularly dangerous is the combination of ease of exploitation and the high-value targets they expose," said Eilon Cohen, AI security researcher at Pillar Security. "If you can create a workflow in n8n, you can own the server.
"For attackers, this means access to OpenAI keys, Anthropic credentials, AWS accounts, and the ability to intercept or modify AI interactions in real time – all while the workflows continue functioning normally."
[8]
The risks may be even broader for users of n8n Cloud, the hosted version of the platform. According to Pillar, the service's multi-tenant architecture could allow a single malicious user to access other customers' data if the flaw is successfully exploited.
[9]VS Code for Linux may be secretly hoarding trashed files
[10]Critical React Native Metro dev server bug under attack as researchers scream into the void
[11]Russia-linked APT28 attackers already abusing new Microsoft Office zero-day
[12]How one developer used Claude to build a memory-safe extension of C
Researchers at SecureLayer 7, who also discovered the vulnerability, [13]said exploitation requires relatively little effort. In one proof-of-concept example, researchers demonstrated how an attacker could set up a workflow using a public webhook with no authentication. By inserting a short line of JavaScript using destructuring, they tricked n8n into running commands at the system level. Once that webhook is live, anyone who knows the URL could hit the endpoint and execute commands on the server hosting it.
The disclosure highlights how automation platforms are becoming increasingly attractive targets as they take on a larger role within organizations. Tools such as n8n often store credentials that grant access to SaaS apps, internal systems, and AI services, so if attackers breach one of these platforms, access can quickly spill over into other environments.
Patches addressing CVE-2026-25049 have now been released, and n8n is urging customers to update immediately. Security teams are being told to take a closer look at user permissions, review existing workflows, and rotate sensitive credentials in automation pipelines, particularly those connected to cloud or AI services.
Because automation tools are tightly integrated into daily operations, breaches can be hard to detect. Workflows continue to run as usual, dashboards show everything is fine, and attackers can extract sensitive data without drawing much attention. ®
Get our [14]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYTMt8f-Pt9WePe5SnZXawAAAA8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYTMt8f-Pt9WePe5SnZXawAAAA8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYTMt8f-Pt9WePe5SnZXawAAAA8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp
[6] https://www.theregister.com/2026/01/08/n8n_rce_bug/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYTMt8f-Pt9WePe5SnZXawAAAA8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYTMt8f-Pt9WePe5SnZXawAAAA8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2026/02/04/vs_code_for_linux_trash_fail/
[10] https://www.theregister.com/2026/02/03/critical_react_native_metro_server/
[11] https://www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/
[12] https://www.theregister.com/2026/01/26/trapc_claude_c_memory_safe_robin_rowe/
[13] https://blog.securelayer7.net/cve-2026-25049/
[14] https://whitepapers.theregister.com/
Re: JavaScript on the Server
Pickle Rick
> And we do really, really need a sarcasm icon
Oh, do we? Really? Really, really? Reeeeeally?
Hmm, you might be right :)
JavaScript on the Server
What a brilliant idea!
YMMV
AAC
And we do really, really need a sarcasm icon