CVE-2026-25052 is a critical security vulnerability classified as a Time-of-check Time-of-use (TOCTOU) race condition (CWE-367) in the n8n open source workflow automation platform. This flaw exists in the file access control mechanism prior to versions 1.123.18 and 2.5.0. The vulnerability allows authenticated users who have permissions to create or modify workflows to exploit a race condition between the time a file access check is performed and the time the file is actually used. This race condition enables these users to bypass intended file access restrictions and read sensitive files from the host system where n8n is running. By reading these files, attackers can extract critical configuration data and user credentials stored on the system. This can lead to a complete account takeover of any user on the n8n instance, escalating privileges and compromising the entire platform. The vulnerability is remotely exploitable without user interaction and requires only low privileges (workflow modification rights). The CVSS v4.0 base score is 9.4, indicating a critical severity with high impact on confidentiality, integrity, and availability. The vulnerability was publicly disclosed on February 4, 2026, and patches have been released in versions 1.123.18 and 2.5.0 to fix the issue. No known exploits have been reported in the wild yet, but the ease of exploitation and potential impact make this a significant threat. Organizations using n8n for automation workflows should prioritize patching and review user permissions to mitigate risk.

For European organizations, this vulnerability poses a severe risk to the confidentiality and integrity of sensitive data managed within n8n workflows. Since n8n is often used to automate business-critical processes, exploitation could lead to unauthorized disclosure of configuration secrets, credentials, and potentially sensitive business logic. Attackers gaining full account takeover can manipulate workflows, disrupt automation processes, and pivot to other internal systems, causing operational disruption and data breaches. The impact is heightened in multi-tenant or shared environments where multiple users have workflow modification rights. Compliance with GDPR and other data protection regulations could be jeopardized if personal or sensitive data is exposed. The critical nature of the vulnerability and its ease of exploitation mean that organizations could face significant financial, reputational, and regulatory consequences if exploited.

1. Immediately upgrade all n8n instances to version 1.123.18 or 2.5.0 or later to apply the official patch addressing the TOCTOU race condition. 2. Restrict workflow creation and modification permissions strictly to trusted administrators or users with a demonstrated need, minimizing the number of accounts that can exploit this vulnerability. 3. Implement robust monitoring and alerting on n8n instances for unusual file access patterns or privilege escalations, including logs of workflow changes and file reads. 4. Conduct regular audits of user permissions and workflow configurations to detect unauthorized modifications. 5. Isolate n8n hosts in segmented network zones with limited access to sensitive backend systems and credentials. 6. Employ host-based security controls such as file integrity monitoring and endpoint detection to detect exploitation attempts. 7. Educate administrators and users about the risks of granting excessive permissions within automation platforms. 8. Consider additional compensating controls such as multi-factor authentication for user accounts with workflow modification rights to reduce risk of account takeover.