Multiple critical vulnerabilities in the popular n8n open-source workflow automation platform allow escaping the confines of the environment and taking complete control of the host server.
Collectively tracked as CVE-2026-25049, the issues can be exploited by any authenticated user who can create or edit workflows on the platform to perform unrestricted remote code execution on the n8n server.
Researchers at several cybersecurity companies reported the problems, which stem from n8n's sanitization mechanism and bypass the patch for CVE-2025-68613, another critical flaw addressed on December 20.
According to Pillar Security, exploiting CVE-2026-25049 enables complete compromise of the n8n instance and could be leveraged to run arbitrary system commands on the server, steal all stored credentials, secrets (API keys, OAuth tokens), and sensitive configuration files.
By exploiting the vulnerability, the researchers were also able to access the filesystem and internal systems, pivot to connected cloud accounts, and hijack AI workflows (intercept prompts, modify responses, redirect traffic).
As n8n is a multi-tenant environment, accessing internal cluster services can potentially allow pivoting to other tenants’ data.
“The attack requires nothing special. If you can create a workflow, you can own the server,” Pillar Security says in a report today.
Full attack chain
Source: Pillar Security
Pillar’s report describes the problem as incomplete AST-based sandboxing and explains that it arises from n8n’s weak sandboxing of user-written server-side JavaScript expressions in workflows.
... continue reading