CVE-2026-25053 is an OS command injection vulnerability classified under CWE-78 affecting the open-source workflow automation platform n8n. The flaw exists in the Git node component of n8n versions prior to 1.123.10 and 2.5.0. Authenticated users who have permissions to create or modify workflows can exploit this vulnerability to execute arbitrary system commands or read arbitrary files on the host machine running n8n. This is due to improper neutralization of special elements in OS commands, allowing injection of malicious commands. The vulnerability does not require user interaction beyond authentication and can be triggered remotely over the network, as n8n is typically accessed via web interfaces. The CVSS 4.0 score of 9.4 reflects the vulnerability's critical nature, with high impact on confidentiality, integrity, and availability, and low attack complexity. Although no known exploits are currently reported in the wild, the ease of exploitation and severity make it a high-risk issue. The vulnerability has been addressed in versions 1.123.10 and 2.5.0 by properly sanitizing inputs in the Git node. Organizations running earlier versions should prioritize patching to prevent potential compromise. Given n8n's role in automating workflows and integrating various services, exploitation could lead to unauthorized data access, system compromise, or disruption of automated processes.

For European organizations, this vulnerability poses a significant risk due to the potential for unauthorized command execution on critical infrastructure hosting n8n. Compromise could lead to data breaches, unauthorized access to sensitive files, disruption of automated workflows, and potential lateral movement within networks. Organizations in sectors such as finance, manufacturing, healthcare, and public administration that rely on automation platforms for operational efficiency are particularly vulnerable. The ability of an attacker to execute arbitrary commands without user interaction and with only authenticated access increases the threat level, especially if credential compromise occurs. The impact extends beyond confidentiality to integrity and availability, potentially causing operational downtime and reputational damage. Additionally, organizations subject to strict data protection regulations like GDPR face increased compliance risks if sensitive data is exposed or systems are disrupted.

1. Immediately upgrade all n8n instances to version 1.123.10 or 2.5.0 or later to apply the official patch addressing this vulnerability. 2. Restrict workflow creation and modification permissions strictly to trusted users to minimize the risk of exploitation by unauthorized or malicious insiders. 3. Implement strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. 4. Monitor logs and system activity for unusual commands or file access patterns originating from the Git node or workflow execution processes. 5. Employ network segmentation to isolate n8n hosts from critical infrastructure and sensitive data repositories. 6. Conduct regular security audits and vulnerability scans on automation platforms to detect outdated versions or misconfigurations. 7. Educate administrators and developers about the risks associated with workflow automation and the importance of secure coding and input validation practices. 8. Consider deploying runtime application self-protection (RASP) or host-based intrusion detection systems (HIDS) to detect and block suspicious command execution attempts.