CVE-2026-25053 is an OS command injection vulnerability identified in the n8n open source workflow automation platform, specifically within its Git node component. The flaw exists in versions prior to 1.123.10 and 2.5.0, where authenticated users with permissions to create or modify workflows can inject malicious OS commands due to improper neutralization of special characters in system command inputs (CWE-78). This allows attackers to execute arbitrary commands on the host operating system or read arbitrary files, potentially leading to full system compromise. The vulnerability requires authentication but no user interaction, and the attacker must have workflow modification rights, which are typically granted to developers or automation administrators. The CVSS 4.0 base score of 9.4 reflects the vulnerability’s critical severity, with network attack vector, low attack complexity, no need for user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability’s nature and ease of exploitation make it a significant risk. The issue was publicly disclosed and patched on February 4, 2026, with fixed versions 1.123.10 and 2.5.0 released to remediate the flaw. Organizations running vulnerable versions should prioritize patching and review access controls to limit permissions to trusted users only. Monitoring for anomalous command execution or file access patterns on n8n hosts is also recommended to detect potential exploitation attempts.

For European organizations, this vulnerability poses a critical risk to the confidentiality, integrity, and availability of systems running n8n workflow automation. Successful exploitation could lead to unauthorized command execution, enabling attackers to manipulate workflows, exfiltrate sensitive data, disrupt automation processes, or pivot to other internal systems. This could impact business continuity, data privacy compliance (e.g., GDPR), and operational technology environments relying on automated workflows. Given n8n’s growing adoption in European tech sectors, including finance, manufacturing, and IT services, the potential for widespread disruption is significant. Attackers exploiting this vulnerability could gain persistent footholds, escalate privileges, or deploy ransomware. The lack of required user interaction and low attack complexity increase the likelihood of exploitation in environments with insufficient access controls. Organizations with exposed or poorly segmented n8n instances are particularly vulnerable. The impact extends beyond IT to operational processes automated via n8n, potentially affecting critical infrastructure and service delivery.

1. Immediately upgrade all n8n instances to version 1.123.10 or 2.5.0 or later to apply the official patch addressing CVE-2026-25053. 2. Restrict permissions to create or modify workflows strictly to trusted, vetted users to minimize the attack surface. 3. Implement network segmentation and firewall rules to limit access to n8n management interfaces to authorized personnel only. 4. Enable detailed logging and monitoring on n8n hosts to detect unusual command executions or file access patterns indicative of exploitation attempts. 5. Conduct regular audits of workflow configurations, especially those involving the Git node, to identify and remediate suspicious or unauthorized changes. 6. Employ host-based intrusion detection systems (HIDS) to alert on unexpected system command executions. 7. Educate administrators and developers on secure workflow design and the risks of injecting untrusted input into system commands. 8. Consider deploying n8n instances within hardened containers or virtual machines with minimal privileges to contain potential compromises. 9. Review and enforce strong authentication and access control policies for all automation platform users. 10. Maintain an incident response plan that includes procedures for addressing workflow automation platform compromises.