Overview
- The consolidated flaw, tracked as CVE-2026-25049, enables remote code execution by any authenticated user who can create or edit workflows, with fixes available in versions 1.123.17 and 2.5.2.
- Researchers from Pillar Security, Endor Labs, and SecureLayer7 published technical write-ups and proof-of-concept exploits demonstrating sandbox escapes that bypass earlier patches.
- The weaknesses stem from incomplete AST-based sandboxing and a TypeScript-to-JavaScript type mismatch that allows sanitization bypasses and arbitrary code execution.
- Successful attacks can steal stored credentials and secrets, access filesystems, hijack AI workflows, and potentially pivot within n8n’s multi-tenant cloud infrastructure.
- Admins are urged to update immediately, rotate the N8N_ENCRYPTION_KEY and all stored credentials, restrict who can create workflows, harden deployments, and note that while scanning has risen, public reports of active exploitation are not confirmed.