Executive Summary
Eight new high-to-critical vulnerabilities have been disclosed in n8n, the popular open-source workflow automation platform used widely in enterprise DevOps and security operations. The most severe — CVE-2026-21858 (CVSS 10.0) — allows fully unauthenticated remote code execution.
A related flaw, CVE-2026-25049 (CVSS 9.4), bypasses a fix for a prior critical vulnerability from December 2025, enabling authenticated users to escape the n8n expression sandbox and execute system commands.
Minimum safe version: n8n 2.5.2+
The Eight CVEs
| CVE | CVSS | Auth Required | Description |
|---|---|---|---|
| CVE-2026-21858 | 10.0 | No | Unauthenticated remote code execution |
| CVE-2026-25049 | 9.4 | Yes | Sandbox escape via expression evaluation bypass |
| CVE-2026-21893 | 9.4 | Admin | Command injection for admin users |
| CVE-2026-2xxxx | High | Yes | File access control bypass |
| CVE-2026-2xxxx | High | Yes | Git integration command injection |
| CVE-2026-2xxxx | High | Yes | SSH node command injection |
| CVE-2026-2xxxx | High | Yes | Merge node data exfiltration |
| CVE-2026-2xxxx | High | Yes | Python execution sandbox escape |
Deep Dive: The Sandbox Escape (CVE-2026-25049)
How It Works
n8n uses expression evaluation to allow users to reference data between workflow nodes using {{ }} syntax. This is sandboxed to prevent arbitrary code execution. However, researchers discovered that JavaScript destructuring syntax can escape the sandbox:
Attack Chain
1. Attacker creates a workflow with a webhook trigger
2. Webhook node contains a crafted expression using destructuring
3. When the webhook is triggered, the expression escapes the sandbox
4. System commands execute with the n8n process's privileges
5. Attacker gains shell access to the n8n serverWhy the December Fix Failed
The December 2025 patch for the original sandbox escape (CVE-2025-XXXXX) blocked specific patterns but missed the destructuring syntax variant. CVE-2026-25049 exploits this gap, demonstrating the difficulty of securing JavaScript expression evaluation.
Deep Dive: Unauthenticated RCE (CVE-2026-21858)
CVE-2026-21858 is the most severe — a CVSS 10.0 vulnerability that requires no authentication whatsoever. An attacker who can reach an n8n instance over the network can execute arbitrary commands on the server.
This is particularly dangerous because:
- Many n8n instances have webhook endpoints exposed to the internet
- n8n processes often run with elevated privileges to interact with infrastructure
- n8n typically has credentials stored for connected services (Slack, GitHub, databases, cloud APIs)
Who's at Risk
n8n is popular in:
| Use Case | Risk Level | Why |
|---|---|---|
| Security automation (SOAR) | Critical | Has credentials for security tools, SIEM, etc. |
| DevOps CI/CD | Critical | Access to deployment pipelines and infrastructure |
| IT automation | High | Connected to internal systems and APIs |
| Data integration | High | Database credentials and API keys stored |
| Internal tooling | Medium | Depends on exposure and permissions |
Remediation
Immediate Actions
- Update to n8n 2.5.2+ — This is the minimum version that addresses all eight CVEs
- Audit exposed webhooks — Identify any n8n webhook endpoints accessible from the internet
- Review workflow permissions — Restrict who can create and modify workflows
- Rotate credentials — If running a vulnerable version, rotate all credentials stored in n8n
Network Controls
- Place n8n behind a VPN or zero-trust proxy
- Restrict webhook access to known IP ranges where possible
- Monitor n8n server processes for unusual child process execution
Detection
Monitor for:
- Unusual process spawning from the n8n process
- Webhook requests with complex JavaScript expressions
- Outbound connections from n8n to unexpected destinations
- File access patterns outside normal n8n operation
References
- The Hacker News — Critical n8n Flaw CVE-2026-25049
- The Register — n8n's Latest Critical Flaws Bypass December Fix
- Horizon3.ai — n8n RCE Under the Microscope