CVE-2026-25055 is a path traversal vulnerability (CWE-22) affecting n8n, an open-source workflow automation platform. The flaw exists in versions prior to 1.123.12 and 2.4.0, where workflows that handle uploaded files and subsequently transfer them to remote servers via the SSH node do not properly validate the metadata of these files. This improper validation allows an attacker to craft file uploads with manipulated pathnames, causing files to be written outside the intended directories on remote systems. Because the SSH node executes file transfers, this can lead to remote code execution on those remote servers if malicious files are placed in executable locations. Exploitation requires the attacker to be unauthenticated but have knowledge of the vulnerable workflows and access to unauthenticated file upload endpoints. The vulnerability has a CVSS 4.0 score of 7.1, reflecting high severity due to network attack vector, no privileges required, no user interaction, but with high scope and impact on confidentiality, integrity, and availability. The issue was publicly disclosed and patched in versions 1.123.12 and 2.4.0. No known exploits have been observed in the wild, but the potential for severe impact exists if exploited. The vulnerability highlights the importance of validating file metadata and securing upload endpoints in automation platforms that interact with remote systems.

For European organizations, the impact of CVE-2026-25055 can be significant, particularly for those relying on n8n for automating workflows involving file transfers to remote servers. Successful exploitation can lead to unauthorized file writes on critical remote systems, potentially resulting in remote code execution, data breaches, or disruption of automated processes. This could compromise sensitive data confidentiality, integrity, and availability of services. Organizations in sectors such as finance, healthcare, manufacturing, and critical infrastructure that use n8n to automate sensitive workflows are at heightened risk. The ability for an unauthenticated attacker to exploit this vulnerability increases the threat level, especially if upload endpoints are exposed without authentication. Additionally, the cross-system nature of the attack (from the n8n platform to remote servers via SSH) broadens the attack surface and complicates incident response. The absence of known exploits in the wild provides a window for proactive mitigation, but the high severity score underscores the urgency of patching and securing affected systems.

1. Immediately upgrade all n8n instances to version 1.123.12 or 2.4.0 or later to apply the official patch addressing this vulnerability. 2. Restrict access to file upload endpoints by enforcing strong authentication and authorization controls to prevent unauthenticated access. 3. Implement strict validation of file metadata and pathnames within workflows before processing or transferring files, ensuring that path traversal sequences are sanitized or rejected. 4. Limit the SSH node's permissions on remote servers to the minimum necessary, using dedicated service accounts with constrained privileges and directory access. 5. Monitor logs and alerts for unusual file transfer activities or unexpected file writes on remote systems, enabling rapid detection of exploitation attempts. 6. Conduct regular security audits and penetration tests focusing on workflow automation components and their integration points. 7. Educate developers and administrators on secure workflow design principles, emphasizing input validation and endpoint security. 8. Consider network segmentation to isolate automation platforms from critical infrastructure where feasible.