Sandbox Shattered: New n8n Critical Flaw CVE-2026-25049 Exposes AI Workflows to Full Takeover

The n8n workflow automation platform is once again embroiled in a significant security crisis. In a recently disseminated advisory, the developers disclosed a critical vulnerability that, if successfully weaponized, permits the execution of arbitrary systemic commands on the host server.

This defect, designated as CVE-2026-25049 with a formidable CVSS score of 9.4, fundamentally represents a subversion of a prior remediation for CVE-2025-68613, a critical flaw addressed in December 2025. Inadequate sanitization within the expression evaluation engine enables an adversary to bypass the n8n sandbox constraints and achieve command execution on the underlying host.

An offensive requires an authenticated user with privileges to conceive or modify workflows. However, SecureLayer7 highlights a particularly high-risk scenario involving n8n webhooks. An antagonist could engineer a workflow featuring a publicly accessible, unauthenticated webhook and embed a deleterious expression within the node parameters; once activated, this webhook serves as a conduit for remote command execution.

The ramifications extend far beyond the mere seizure of server control. Pillar Security elucidates the catastrophic risks of exfiltrating API credentials, cloud provider keys, database passwords, and OAuth tokens. Furthermore, an attacker could gain unfettered access to the file system and internal resources, encompassing linked cloud accounts and automation chains integrated with AI components.

Endor Labs attributes the root cause of this infirmity to a discrepancy between TypeScript type-checking during compilation and the actual behavior of JavaScript at runtime. Consequently, a validation routine designed for string inputs can be circumvented by supplying data of a disparate type, meticulously crafted by the assailant.

The vulnerability afflicts n8n iterations prior to 1.123.17 and 2.5.2, where it has been duly rectified. Should an immediate update prove unfeasible, it is prudent to restrict workflow creation and modification rights exclusively to a circle of verified individuals and to deploy n8n within a more rigorously isolated environment characterized by minimal privileges and stringent network constraints.

Concurrently, n8n has promulgated advisories for several other defects. These include CVE-2026-25053 (system command injection in the Git node) and CVE-2026-25056 (arbitrary file write via SQL Query in the Merge node), both bearing a CVSS score of 9.4 and potentially leading to Remote Code Execution (RCE). Additionally, CVE-2026-25054, a stored XSS within the markdown rendering component, and CVE-2026-25055, a path traversal vulnerability in the SSH node, have been documented.