CVE-2026-25052 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability classified under CWE-367, affecting the n8n open source workflow automation platform. The flaw exists in the file access control mechanism prior to versions 1.123.18 and 2.5.0, allowing authenticated users with permissions to create or modify workflows to exploit a race condition to bypass intended access restrictions. This enables them to read arbitrary sensitive files on the host system where n8n is running. By accessing critical configuration files and user credentials, an attacker can escalate privileges and achieve complete account takeover of any user on the instance. The vulnerability is remotely exploitable without user interaction and requires only low privileges (workflow modification rights). The CVSS v4.0 score of 9.4 indicates a critical severity, with high impact on confidentiality, integrity, and availability, and a broad scope affecting all users on the instance. Although no public exploits are currently known, the nature of the vulnerability and the sensitive data exposed make it a high-risk issue. The vendor has addressed the vulnerability in versions 1.123.18 and 2.5.0, and users are strongly advised to upgrade. The vulnerability highlights the risks inherent in race conditions within access control logic in automation platforms, which can lead to severe privilege escalation and data breaches.

For European organizations, this vulnerability poses a significant risk due to the potential for unauthorized disclosure of sensitive configuration data and credentials, leading to full account compromise. Organizations using n8n for critical automation workflows could face operational disruption, data breaches, and lateral movement by attackers within their networks. The ability to take over any user account on the instance increases the risk of insider-like attacks and data exfiltration. Given the increasing adoption of automation platforms in sectors such as finance, healthcare, and manufacturing across Europe, exploitation could lead to regulatory non-compliance, reputational damage, and financial losses. The vulnerability's remote exploitability and lack of user interaction requirements make it easier for attackers to leverage once authenticated, increasing the threat surface. Additionally, compromised credentials could facilitate further attacks against integrated systems and cloud services. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the critical severity demands urgent attention.

1. Immediately upgrade all n8n instances to versions 1.123.18 or 2.5.0 or later, where the vulnerability is patched. 2. Restrict workflow creation and modification permissions strictly to trusted administrators to reduce the number of users who can exploit the vulnerability. 3. Implement robust monitoring and alerting for unusual file access patterns or privilege escalations within n8n environments. 4. Employ network segmentation and access controls to limit exposure of n8n hosts to only necessary users and systems. 5. Regularly audit workflow configurations and user permissions to detect unauthorized changes. 6. Use host-based intrusion detection systems to identify attempts to access sensitive files. 7. Educate administrators and users about the risks of granting workflow modification rights and enforce least privilege principles. 8. Maintain up-to-date backups of critical configuration and workflow data to enable recovery in case of compromise. 9. Consider deploying n8n instances in isolated environments or containers with strict file system permissions to limit impact of potential exploitation. 10. Follow vendor advisories and subscribe to security mailing lists for timely updates on this and related vulnerabilities.