"The vulnerabilities, collectively tracked as CVE-2026-25049, stem from weaknesses in how n8n sanitizes expressions inside workflows and could enable authenticated users to smuggle malicious code past safeguards introduced to fix CVE-2025-68613, a December 2025 vulnerability that already carried a near-perfect severity score. The new flaws carry a CVSS rating of 9.4, though some researchers argue the real-world impact could be even worse."
""Additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613," n8n's maintainers said. "An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n." The disclosure lands just weeks after another maximum-severity n8n bug dubbed "ni8mare" exposed an estimated 100,000 automation servers to takeover through an unauthenticated remote code execution flaw that allowed attackers to seize vulnerable systems without logging in,"
Multiple vulnerabilities in n8n are tracked as CVE-2026-25049 and arise from flaws in expression sanitization within workflows, allowing authenticated users to bypass prior safeguards from CVE-2025-68613 by smuggling malicious code. n8n confirmed the issues and warned that users who can create or modify workflows could craft expressions that trigger unintended system command execution on hosts running n8n. The new flaws carry a CVSS score of 9.4, with some researchers warning the real-world impact may be worse. The disclosure follows the recent high-severity "ni8mare" RCE that exposed roughly 100,000 servers, and security firms emphasize risk because automation platforms handle sensitive material.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]