Description
n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0.
Published: 2026-02-04
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file write on remote servers via the SSH node, potentially leading to remote code execution
Action: Immediate Patch
AI Analysis

Impact

n8n allows users to create workflows that include uploading files and then transferring them to remote servers through its SSH node. Before version 1.123.12 and 2.4.0 the SSH node did not validate the uploaded file’s metadata, allowing a file to be written to an arbitrary location on the destination server. If the attacker can execute code at the new location, this flaw can enable remote code execution on that server.

Affected Systems

The vulnerable software is the n8n workflow automation platform from n8n‑io. All installations running a version older than 1.123.12 for the 1.x series or older than 2.4.0 for the 2.x series are affected. The vulnerability manifests when the workflow processes a file that is then sent to a remote host via the SSH node.

Risk and Exploitability

The CVSS score of this vulnerability is 7.1, indicating high impact, while the EPSS score is below 1 %, suggesting a low likelihood of exploitation at the present time. This issue is not recorded in the CISA KEV catalog. A likely attack vector would be an unauthenticated attacker who knows that an n8n workflow exists and that the file‑upload endpoint is open. The attacker can upload a crafted file, have the SSH node write it to a chosen path on the target remote system, and if the path allows code execution, gain control of that system. The vulnerability is mitigated by applying the patched versions or by enforcing stricter validation of uploaded file metadata before sending it over SSH.

Generated by OpenCVE AI on April 18, 2026 at 13:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update n8n to version 1.123.12 or newer in the 1.x line, or to version 2.4.0 or newer in the 2.x line, to apply the vendor patch.
  • If an immediate upgrade is not possible, restrict file‑upload endpoints to authenticated users only, preventing unauthenticated uploads that could be leveraged by an attacker.
  • Implement or enable validation of uploaded file metadata before it is passed to the SSH node, ensuring files are only written to intended locations on remote hosts.

Generated by OpenCVE AI on April 18, 2026 at 13:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m82q-59gv-mcr9 n8n Vulnerable to Arbitrary File Write on Remote Systems via SSH Node
History

Thu, 05 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared N8n
N8n n8n
Vendors & Products N8n
N8n n8n

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Description n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0.
Title n8n Arbitrary File Write on Remote Systems via SSH Node
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:33:32.501Z

Reserved: 2026-01-28T14:50:47.888Z

Link: CVE-2026-25055

cve-icon Vulnrichment

Updated: 2026-02-05T14:20:20.942Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:23.513

Modified: 2026-02-05T20:41:47.613

Link: CVE-2026-25055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:00:02Z

Weaknesses