Security researchers at Endor Labs disclosed a critical vulnerability in the n8n workflow automation platform that bypasses security fixes implemented in December 2025. The flaw, tracked as CVE-2026-25049 (CVSS 9.4), enables authenticated attackers to execute arbitrary system commands through malicious webhook workflows.
Vulnerability overview
| Attribute | Details |
|---|
| CVE | CVE-2026-25049 |
| CVSS score | 9.4 (Critical) |
| Type | Expression sandbox bypass → RCE |
| Root cause | TypeScript/JavaScript type mismatch |
| Bypasses | CVE-2025-68613 patch (December 2025) |
| Affected versions | All versions < 1.123.17 and < 2.5.2 |
| Fixed versions | 1.123.17, 2.5.2 |
| Discoverer | Endor Labs (Cris Staicu) |
| Public disclosure | February 4, 2026 |
Timeline
| Date | Event |
|---|
| December 19-20, 2025 | Vulnerability discovered and documented |
| December 20, 2025 | Responsible disclosure to n8n security team |
| December 2025 | CVE-2025-68613 patch released |
| January 2026 | n8n releases versions 1.123.17 and 2.5.2 |
| February 4, 2026 | Public disclosure and CVE assignment |
| February 4, 2026 | Proof-of-concept published |
Technical analysis
Root cause: Type system mismatch
The vulnerability exploits a fundamental difference between TypeScript’s compile-time type checking and JavaScript’s runtime behavior.
| Aspect | TypeScript | JavaScript |
|---|
| Type enforcement | Compile-time only | Runtime dynamic |
| Property checks | Static analysis | No enforcement |
| Attacker input | Not analyzed | Fully controlled |
Endor Labs researcher Cris Staicu explained:
“While TypeScript enforces that a property should be a string at compile time, this enforcement is limited to values present in the code during compilation. TypeScript cannot enforce these type checks on runtime attacker-produced values.”
Bypass mechanism
| Stage | Description |
|---|
| 1 | Attacker crafts malicious expression at runtime |
| 2 | Passes non-string values (objects, arrays, symbols) |
| 3 | Values bypass sanitization check |
| 4 | Expression sandbox escape achieved |
| 5 | System command execution |
Exploitation requirements
| Requirement | Details |
|---|
| Authentication | Required (workflow creation access) |
| Webhook access | Public webhook with no auth |
| Code complexity | Single line of JavaScript |
| Trigger method | HTTP request to webhook |
Attack scenario
Step-by-step exploitation
| Step | Action |
|---|
| 1 | Attacker creates workflow with public webhook |
| 2 | Adds malicious JavaScript using destructuring syntax |
| 3 | Exposes webhook to internet |
| 4 | Sends crafted request to webhook URL |
| 5 | Commands execute on n8n server |
Impact of successful exploitation
| Capability | Risk |
|---|
| System command execution | Complete server compromise |
| Credential theft | API keys, OAuth tokens |
| Secret exfiltration | Stored passwords, configuration |
| Lateral movement | Access to connected systems |
| Data manipulation | Workflow modification, data theft |
Affected deployments
Exposure assessment
| Factor | Risk level |
|---|
| Self-hosted instances | High (if publicly accessible) |
| Cloud-hosted n8n | Managed by provider |
| Internet-exposed webhooks | Critical |
| Internal-only deployments | Moderate (insider threat) |
Scale of exposure
| Metric | Estimate |
|---|
| Global n8n installations | ~100,000+ |
| Potentially exposed servers | Thousands |
| Active exploitation | Not yet observed |
Relationship to previous vulnerabilities
This is the third major n8n vulnerability disclosed in recent months:
| CVE | CVSS | Type | Date |
|---|
| CVE-2026-21858 | 10.0 | Content-Type confusion → RCE | January 2026 |
| CVE-2025-68613 | 9.9 | Expression sandbox escape | December 2025 |
| CVE-2026-25049 | 9.4 | Patch bypass → RCE | February 2026 |
| CVE-2026-1470 | 9.9 | JavaScript with statement escape | February 2026 |
| CVE-2026-0863 | 8.5 | Python AttributeError.obj escape | February 2026 |
The pattern suggests n8n’s sandboxing approach faces fundamental challenges in securely isolating dynamic code execution.
| Priority | Action |
|---|
| Critical | Upgrade to n8n 1.123.17 or 2.5.2+ |
| Critical | Audit public webhook configurations |
| High | Review workflow creation permissions |
| High | Implement network access controls |
| Workaround | Purpose |
|---|
| Restrict workflow creation | Limit to trusted users only |
| Disable public webhooks | Remove attack surface |
| Network segmentation | Isolate n8n from critical systems |
| Reduce OS privileges | Limit damage from compromise |
Verification steps
| Check | Method |
|---|
| Version verification | n8n --version or UI settings |
| Webhook audit | Review all workflow triggers |
| Permission review | Check user roles and access |
| Network exposure | Scan for public n8n instances |
Detection
Indicators of exploitation
| Indicator | Detection method |
|---|
| Unusual webhook traffic | Web server logs |
| Process spawning from n8n | EDR/process monitoring |
| Credential file access | File access auditing |
| Outbound connections | Network monitoring |
Log analysis
| Log source | Look for |
|---|
| n8n execution logs | Unusual expression patterns |
| System logs | Child processes from n8n |
| Network logs | Unexpected outbound traffic |
| Authentication logs | Unauthorized workflow access |
Recommendations
For n8n administrators
| Priority | Action |
|---|
| Critical | Apply patches immediately |
| High | Audit all webhook configurations |
| High | Implement principle of least privilege |
| Medium | Enable comprehensive logging |
| Ongoing | Monitor for future n8n advisories |
For security teams
| Priority | Action |
|---|
| High | Inventory all n8n deployments |
| High | Add n8n to vulnerability management |
| Medium | Implement detection rules |
| Medium | Review automation platform security |
| Ongoing | Track workflow automation attack surface |
For development teams
| Priority | Action |
|---|
| High | Review workflow permissions |
| High | Validate webhook authentication requirements |
| Medium | Audit connected integrations |
| Medium | Document automation dependencies |
Context
CVE-2026-25049 highlights a persistent challenge in securing dynamic code execution environments. The vulnerability demonstrates that patches addressing specific exploitation techniques may be bypassed through alternative approaches.
The TypeScript/JavaScript type mismatch at the root of this vulnerability reflects a broader architectural tension: TypeScript provides compile-time safety, but JavaScript’s runtime flexibility allows attackers to circumvent those protections with crafted inputs.
For organizations relying on n8n and similar workflow automation platforms, this disclosure reinforces several security principles:
Defense in depth: Sandboxing alone cannot guarantee security. Network isolation, permission restrictions, and monitoring provide additional protection layers.
Patch verification: When critical vulnerabilities are patched, security teams should monitor for bypass disclosures, as attackers actively seek alternative exploitation paths.
Automation platform risk: Tools that execute dynamic code—even with sandboxing—present inherent risks. Organizations should treat automation platforms as high-value targets requiring rigorous security controls.
The public availability of proof-of-concept code means exploitation attempts may increase. Organizations should prioritize patching and implement compensating controls where immediate updates are not feasible.
