CVE-2026-25049 is a critical security vulnerability identified in the n8n workflow automation platform, specifically affecting versions prior to 1.123.17 and 2.5.2. The root cause is improper control of dynamically-managed code resources (CWE-913), which allows an authenticated user with permissions to create or modify workflows to inject and execute crafted expressions within workflow parameters. These expressions can trigger unintended system command execution on the host machine running n8n, effectively enabling command injection. The vulnerability does not require elevated privileges beyond workflow modification rights, nor does it require user interaction, increasing the risk of exploitation. The CVSS 4.0 base score of 9.4 reflects the critical nature of this flaw, with network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild, the potential for attackers to gain remote code execution and control over affected systems is significant. The vulnerability has been addressed in n8n versions 1.123.17 and 2.5.2, where input validation and expression handling have been improved to prevent malicious code execution. Organizations running vulnerable versions should prioritize upgrading to patched releases and review workflow permissions to limit exposure.

For European organizations, this vulnerability poses a severe risk due to the potential for remote code execution on critical automation infrastructure. Exploitation could lead to unauthorized access to sensitive data, disruption of automated business processes, and lateral movement within corporate networks. Given n8n's role in integrating various services and automating workflows, a compromise could cascade into broader system failures or data leakage. Industries relying heavily on automation, such as finance, manufacturing, and healthcare, may experience operational downtime and regulatory compliance issues if exploited. The ease of exploitation by any authenticated user with workflow modification rights increases the threat surface, especially in environments with insufficient access controls. Additionally, the lack of known exploits does not diminish the urgency, as public disclosure may prompt attackers to develop exploits rapidly. The impact extends to cloud-hosted and on-premises deployments, affecting organizations that use n8n for orchestrating internal and external services.

1. Immediately upgrade all n8n instances to version 1.123.17 or 2.5.2 or later to apply the official patch addressing this vulnerability. 2. Restrict workflow creation and modification permissions strictly to trusted administrators or users with a demonstrated need, minimizing the number of users who can exploit this flaw. 3. Implement network segmentation and firewall rules to limit access to n8n management interfaces, reducing exposure to potentially malicious authenticated users. 4. Conduct thorough audits of existing workflows to detect and remove any suspicious or untrusted expressions or parameters. 5. Employ runtime monitoring and alerting for unusual command execution patterns on hosts running n8n. 6. Integrate multi-factor authentication (MFA) for all users with workflow modification rights to reduce the risk of compromised credentials being used for exploitation. 7. Regularly review and update access control policies and ensure that least privilege principles are enforced within the n8n environment. 8. Consider deploying n8n instances within isolated environments or containers with limited host system privileges to contain potential exploitation impact.