CVE-2026-25055 is a path traversal vulnerability (CWE-22) found in the n8n workflow automation platform prior to versions 1.123.12 and 2.4.0. The vulnerability occurs when workflows handle uploaded files and transfer them to remote servers using the SSH node without validating the file metadata, such as filenames or paths. This improper validation allows an attacker to craft file uploads that include path traversal sequences (e.g., ../) to write files outside the intended directories on the remote server. Because the SSH node executes file transfers remotely, this can lead to files being placed in sensitive locations, potentially enabling remote code execution if malicious payloads are written to executable paths. Exploitation requires the attacker to be unauthenticated but have knowledge of existing workflows that process file uploads and access to unauthenticated upload endpoints. The vulnerability is mitigated by validating and sanitizing file paths before transfer and by restricting access to upload endpoints. The issue has been addressed in n8n versions 1.123.12 and 2.4.0. The CVSS 4.0 score is 7.1 (high), reflecting network attack vector, low attack complexity, no privileges or user interaction required, but with high scope and impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild as of the publication date.

For European organizations, this vulnerability poses a significant risk especially for those leveraging n8n for automated workflows involving file uploads and remote SSH transfers. Successful exploitation could allow attackers to write arbitrary files to critical locations on remote servers, potentially leading to remote code execution, data compromise, or disruption of services. This could impact confidentiality, integrity, and availability of systems and data. Organizations in sectors with high automation reliance, such as finance, manufacturing, and critical infrastructure, may face operational disruptions or data breaches. The unauthenticated nature of the attack vector increases risk, particularly if upload endpoints are exposed to the internet without proper access controls. The potential for lateral movement and persistence through remote code execution elevates the threat level. While no active exploits are known, the presence of this vulnerability in widely used automation tools necessitates urgent remediation to prevent future attacks.

1. Upgrade all n8n instances to versions 1.123.12 or 2.4.0 or later to ensure the vulnerability is patched. 2. Restrict access to file upload endpoints by implementing strong authentication and network-level controls such as IP whitelisting or VPN access. 3. Implement rigorous validation and sanitization of all file metadata, especially filenames and paths, within workflows before files are transferred to remote servers. 4. Review and audit existing workflows that use the SSH node for file transfers to identify and remediate any unsafe handling of file paths. 5. Employ monitoring and alerting on unusual file system changes or SSH activity on remote servers to detect potential exploitation attempts. 6. Conduct regular security assessments and penetration testing focused on automation platforms and their exposed endpoints. 7. Educate developers and administrators on secure workflow design and the risks of unauthenticated file uploads. 8. Use network segmentation to isolate critical systems and limit the impact of potential compromises.