The vulnerability identified as CVE-2026-25056 affects the open-source workflow automation platform n8n in versions prior to 1.118.0 and 2.4.0. It stems from an unrestricted file upload flaw (CWE-434) in the Merge node's SQL Query mode, which is accessible to authenticated users who have permissions to create or modify workflows. This flaw allows these users to write arbitrary files to the server's filesystem, potentially enabling remote code execution (RCE). The vulnerability is critical because it does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L) and no need for additional privileges beyond workflow modification rights (PR:L). The CVSS 4.0 vector indicates high impact on confidentiality, integrity, and availability, with scope and security requirements also rated high. The vulnerability arises from insufficient validation and sanitization of file uploads within the workflow node, allowing dangerous file types to be written and executed. Although no exploits have been observed in the wild yet, the potential for attackers to gain full control of the n8n server is significant. The vendor has addressed the issue in versions 1.118.0 and 2.4.0 by implementing proper file validation and restricting dangerous file uploads. Organizations relying on n8n for automation workflows must upgrade to these patched versions to mitigate the risk.

For European organizations, this vulnerability poses a severe risk, especially those using n8n for critical business process automation. Exploitation could lead to unauthorized access, data breaches, and disruption of automated workflows, impacting operational continuity. Remote code execution could allow attackers to pivot within internal networks, exfiltrate sensitive data, or deploy ransomware. Sectors such as finance, healthcare, manufacturing, and government agencies that increasingly rely on automation platforms are particularly vulnerable. The compromise of n8n servers could also affect supply chain operations and interconnected services. Given the criticality and ease of exploitation, the threat could result in significant financial losses, reputational damage, and regulatory penalties under GDPR if personal data is exposed. The absence of known exploits in the wild currently provides a window for proactive mitigation but should not lead to complacency.

1. Immediately upgrade all n8n instances to version 1.118.0 or 2.4.0 or later to apply the official patch addressing this vulnerability. 2. Restrict workflow creation and modification permissions to trusted administrators only, minimizing the number of users who can exploit this flaw. 3. Implement strict input validation and file type restrictions at the application and network layers to prevent dangerous file uploads. 4. Monitor filesystem activity on n8n servers for unusual file creation or modification, especially in directories accessible by the application. 5. Employ application-layer firewalls or runtime application self-protection (RASP) tools to detect and block suspicious behavior related to file uploads and execution. 6. Conduct regular security audits and penetration testing focused on workflow automation platforms. 7. Isolate n8n servers within segmented network zones with limited access to critical infrastructure. 8. Maintain comprehensive logging and alerting for workflow changes and server file system events to enable rapid incident response.