Andere informatie en diensten van de overheid: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Multiple Critical Vulnerabilities in N8n

Image
Decorative image
Gepubliceerd : 05/02/2026

    * Last update:  11/02/2026
   
    * Affected products:
         → N8n for affected versions see link in the Source section.

    * Type:

  • Unrestricted Upload of File with Dangerous Type
  • Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
  • Expression Escape Vulnerability
  • Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Improper Input Validation
  • Time-of-check Time-of-use (TOCTOU) Race Condition
  • Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Protection Mechanism Failure
  • Exposure of Sensitive Information to an Unauthorized Actor

    * CVE/CVSS:

  • CVE-2025-61917 : CVSS 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
  • CVE-2026-25115 : CVSS 9.4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
  • CVE-2026-25051 : CVSS 8.5 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N)
  • CVE-2026-25052 : CVSS 9.4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
  • CVE-2026-25053 : CVSS 9.4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
  • CVE-2026-25049 : CVSS 9.4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
  • CVE-2026-25054 : CVSS 8.5 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N)
  • CVE-2026-25055 : CVSS 7.1 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H)
  • CVE-2026-25056 : CVSS 9.4 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)

Sources

N8N Github

Risks

N8n is used for automating workflows between apps, services and APIs. These vulnerabilities could be chained together to compromise the confidentiality, integrity and availability of the n8n host system, critically degrading the service and exposing sensitive information.

Disclosed vulnerabilities affect multiple components and different versions of the n8n package. While most vulnerabilities require some level of knowledge of the underlying system or authenticated access, an attacker with both could compromise entire infrastructure by chaining the different vulnerabilities. A proof of concept for certain CVEs is also available online, supporting the weaponization of vulnerabilities.

Description

Successful exploitation of vulnerabilities in n8n allows:

  • CVE-2026-25117 - Exposure of Sensitive Information to an Unauthorized Actor: Use of specific functions allows for allocation of uninitialized memory. Reading of uninitialized buffer can lead to information disclosure, potentially leaking secretes tokens or sensitive information.
  • CVE-2026-25115 - Protection Mechanism Failure: Authenticated users can break out and execute code outside of the sandbox.
  • CVE-2026-25051 - Cross-site Scripting: Content Security Policy can be bypassed leading to XSS conditions when handling webhook responses, allowing an attacker to hijack user sessions.
  • CVE-2026-25052 - TOCTOU Race Condition: An authenticated user can exploit the vulnerability in file access controls to read arbitrary files from the server’s filesystem. This vulnerability could provide an attacker with access to sensitive data including user credentials.
  • CVE-2026-25053 - OS Command Injection: A vulnerability in Git node allows authenticated users to run shell commands on the n8n host, potentially leading to full compromise.
  • CVE-2026-25049 - OS Command Injection: An authenticated user could exploit crafted expressions in workflow parameters to execute system commands on the n8n host system.
  • CVE-2026-25054 - Basic XSS: A vulnerability in the markdown rendering component used in n8n interface could be exploited to hijack user sessions.
  • CVE-2026-25055 - Path Traversal: An unauthenticated attacker with knowledge of the workflow and file upload endpoints could exploit the upload process via SSH to write files in unintended locations, potentially leading to RCE.
  • CVE-2026-25056 - Unrestricted Upload of File with Dangerous Type: An authenticated user can write arbitrary files on the server’s filesystem, which could lead to an RCE condition.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.