Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

The Hacker News by The Hacker News
February 5, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananFeb 05, 2026Workflow Automation / Vulnerability

A new, critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could result in the execution of arbitrary system commands.

The flaw, tracked as CVE-2026-25049 (CVSS score: 9.4), is the result of inadequate sanitization that bypasses safeguards put in place to address CVE-2025-68613 (CVSS score: 9.9), another critical defect that was patched by n8n in December 2025.

“Additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613,” n8n’s maintainers said in an advisory released Wednesday.

“An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.”

The issue affects the following versions –

  • <1.123.17 (Fixed in 1.123.17)
  • <2.5.2 (Fixed in 2.5.2)

As many as 10 security researchers, including Fatih Çelik, who reported the original bug CVE-2025-68613, as well as Endor Labs’ Cris Staicu, Pillar Security’s Eilon Cohen, and SecureLayer7’s Sandeep Kamble, have been acknowledged for discovering the shortcoming.

“An attacker creates a workflow with a publicly accessible webhook that has no authentication enabled,” SecureLayer7 said. “By adding a single line of JavaScript using destructuring syntax, the workflow can be abused to execute system-level commands. Once exposed, anyone on the internet can trigger the webhook and run commands remotely.”

Successful exploitation of the vulnerability could allow an attacker to compromise the server, steal credentials, and exfiltrate sensitive data, not to mention open up opportunities for threat actors to install persistent backdoors to facilitate long-term access.

The cybersecurity company also noted that the severity of the flaw significantly increases when it’s paired with n8n’s webhook feature, permitting an adversary to create a workflow using a public webhook and add a remote code execution payload to a node in the workflow, causing the webhook to be publicly accessible once the workflow is activated.

Pillar’s report has described the issue as permitting an attacker to steal API keys, cloud provider keys, database passwords, OAuth tokens, and access the filesystem and internal systems, pivot to connected cloud accounts, and hijack artificial intelligence (AI) workflows.

“The attack requires nothing special. If you can create a workflow, you can own the server,” Cohen said.

Endor Labs, which also shared details of the vulnerability, said the problem arises from gaps in n8n’s sanitization mechanisms that allow for bypassing security controls.

“The vulnerability arises from a mismatch between TypeScript’s compile-time type system and JavaScript’s runtime behavior,” Staicu explained. “While TypeScript enforces that a property should be a string at compile time, this enforcement is limited to values that are present in the code during compilation.”

“TypeScript cannot enforce these type checks on runtime attacker-produced values. When attackers craft malicious expressions at runtime, they can pass non-string values (such as objects, arrays, or symbols) that bypass the sanitization check entirely.”

If immediate patching is not an option, users are advised to follow the workarounds below to minimize the impact of potential exploitation –

  • Restrict workflow creation and editing permissions to fully trusted users only
  • Deploy n8n in a hardened environment with restricted operating system privileges and network access

“This vulnerability demonstrates why multiple layers of validation are crucial. Even if one layer (TypeScript types) appears strong, additional runtime checks are necessary when processing untrusted input,” Endor Labs said. “Pay special attention to sanitization functions during code review, looking for assumptions about input types that aren’t enforced at runtime.”



Source link

The Hacker News

The Hacker News

Next Post
Half of Google’s software development now AI-generated | Computer Weekly

Half of Google’s software development now AI-generated | Computer Weekly

Recommended.

Unilumin au congrès 2026 de l’Organisation mondiale de la publicité extérieure (WOO) à Londres : concevoir un avenir plus intelligent et plus durable pour le secteur mondial de la publicité extérieure numérique

Unilumin au congrès 2026 de l’Organisation mondiale de la publicité extérieure (WOO) à Londres : concevoir un avenir plus intelligent et plus durable pour le secteur mondial de la publicité extérieure numérique

June 13, 2026
Video Conferencing Market Skyrockets to .17 Billion by 2031 Dominated by Tech Giants – Adobe Systems Inc, Cisco Systems Inc, and Microsoft Corporation | The Insight Partners

Video Conferencing Market Skyrockets to $19.17 Billion by 2031 Dominated by Tech Giants – Adobe Systems Inc, Cisco Systems Inc, and Microsoft Corporation | The Insight Partners

January 17, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio