CVE-2025-62726 is a remote code execution vulnerability identified in the open-source workflow automation platform n8n, specifically in its Git Node component available in both Cloud and Self-Hosted versions prior to version 1.113.0. The vulnerability stems from the inclusion of functionality from an untrusted control sphere (CWE-829). When n8n clones a remote Git repository that contains a maliciously crafted pre-commit hook, the subsequent use of the Commit operation in the Git Node inadvertently triggers execution of this hook. This behavior allows an attacker to execute arbitrary code within the n8n runtime environment. The attack vector requires network access and limited privileges (PR:L), but no user interaction is necessary, making exploitation feasible in automated or unattended scenarios. The impact is severe, affecting confidentiality, integrity, and availability: attackers can compromise the system, access or manipulate connected credentials, and disrupt workflows. The vulnerability has a CVSS v3.1 base score of 8.8, reflecting its high severity. Although no known exploits have been reported in the wild, the nature of the vulnerability and the widespread use of n8n in automation workflows make it a critical risk. The issue is resolved in n8n version 1.113.0, where the execution of untrusted Git hooks during the Commit operation is prevented.

For European organizations, this vulnerability poses significant risks due to the increasing adoption of n8n for automating business processes and integrating various services. Exploitation could lead to full system compromise, unauthorized access to sensitive credentials stored or used within workflows, and disruption of critical automated operations. This could result in data breaches, operational downtime, and potential regulatory non-compliance under GDPR if personal data is exposed or manipulated. Cloud deployments are particularly at risk due to their exposure to external networks, while self-hosted instances may be targeted via insider threats or lateral movement within corporate networks. The ability to execute arbitrary code remotely without user interaction increases the attack surface and potential for automated exploitation campaigns. The impact extends beyond the compromised n8n instance to any connected systems or services integrated via workflows, amplifying the potential damage.

European organizations should immediately upgrade all n8n instances to version 1.113.0 or later to remediate this vulnerability. Until patching is complete, restrict network access to the Git Node component and limit the ability to clone repositories from untrusted sources. Implement strict repository whitelisting and code review policies to prevent malicious Git hooks from entering the environment. Employ runtime application monitoring to detect anomalous process executions indicative of hook-triggered code execution. Use least privilege principles for n8n service accounts to minimize the impact of potential exploitation. Regularly audit workflows and connected credentials for unauthorized changes. Additionally, segregate n8n environments from critical infrastructure to contain potential breaches. Finally, maintain up-to-date backups of workflows and configurations to enable rapid recovery if compromise occurs.