CVE-2026-25055

High

Published: 04 February 2026

Published

04 February 2026

Modified

05 February 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 37.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being…

written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates validation of file metadata and paths to block path traversal in uploaded files processed by the SSH node.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits permitted actions without authentication, mitigating the prerequisite of unauthenticated file upload endpoints exploited in this vulnerability.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on processes like the SSH node, restricting writes to arbitrary or sensitive locations on remote systems even if traversal occurs.

Security SummaryAI

CVE-2026-25055 is a path traversal vulnerability (CWE-22) in n8n, an open source workflow automation platform. The issue affects versions prior to 1.123.12 and 2.4.0, specifically in workflows that process uploaded files and transfer them to remote servers using the SSH node. Without proper validation of file metadata, this flaw allows files to be written to arbitrary locations on the target remote systems.

An unauthenticated attacker can exploit this vulnerability if they have knowledge of existing workflows that handle file uploads and if the associated file upload endpoints are unauthenticated. By crafting malicious file uploads, the attacker can direct files to unintended paths on remote systems via the SSH node, potentially achieving remote code execution on those systems. The attack requires high complexity, as indicated by the CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

The n8n security advisory recommends upgrading to versions 1.123.12 or 2.4.0, where the issue has been patched by adding metadata validation for uploaded files processed by the SSH node. Security practitioners should review deployed n8n instances for vulnerable workflows, ensure file upload endpoints require authentication where possible, and monitor for unauthorized file transfers.

Details

CWE(s): CWE-22

Affected Products

n8n

≤ 1.123.12 · 2.0.0 — 2.4.0f

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal vulnerability in n8n's unauthenticated file upload workflows enables exploitation of a public-facing application to write arbitrary files to remote systems via SSH node, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9
Patch, Vendor Advisory · security-advisories@github.com