Description
n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2.
Published: 2026-02-04
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Patch
AI Analysis

Impact

n8n, an open source workflow automation platform, suffered from an expression escape flaw that allows an authenticated user with workflow creation or modification rights to inject and run arbitrary system commands. The vulnerability stems from improper handling of user‑supplied expressions in workflow parameters. Exploitation grants the attacker full control over the host operating system executing the n8n instance, resulting in a complete compromise of confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects the n8n-io n8n product. Versions earlier than 1.123.17 and 2.5.2 are vulnerable; security is restored in the mentioned patch releases.

Risk and Exploitability

With a CVSS score of 9.4 the flaw is considered critical. The EPSS score is below 1 %, indicating a low overall exploitation probability, and the flaw is not yet listed in the CISA KEV catalog. Attackers are limited to authenticated users who can create or edit workflows, so the vulnerability is most likely to be exploited by insider threats or compromised legitimate accounts rather than by external attackers. Once authenticated, the attacker can execute any command on the host, making the risk extremely high for environments running unpatched n8n instances.

Generated by OpenCVE AI on April 18, 2026 at 13:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to version 1.123.17 or newer, or 2.5.2 or newer, whichever applies.
  • Restrict workflow creation and modification permissions to a minimal set of trusted users and follow the principle of least privilege.
  • If an upgrade cannot be performed immediately, disable or tightly control any features that allow expression evaluation in workflow parameters, and audit existing workflows for malicious content.

Generated by OpenCVE AI on April 18, 2026 at 13:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6cqr-8cfr-67f8 n8n Has Expression Escape Vulnerability Leading to RCE
History

Thu, 05 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2.
Title n8n Has an Expression Escape Vulnerability Leading to RCE
Weaknesses CWE-913
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:36:17.819Z

Reserved: 2026-01-28T14:50:47.888Z

Link: CVE-2026-25049

cve-icon Vulnrichment

Updated: 2026-02-05T14:23:22.063Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:22.833

Modified: 2026-02-05T20:22:47.870

Link: CVE-2026-25049

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:00:02Z

Weaknesses