CVE-2026-25056

High

Published: 04 February 2026

Published

04 February 2026

Modified

05 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0019 40.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n…

server's filesystem potentially leading to remote code execution. This issue has been patched in versions 1.118.0 and 2.4.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely remediation through patching to versions 1.118.0 or 2.4.0, eliminating the arbitrary file write flaw in the Merge node's SQL Query mode.

SI-10 Information Input Validation good match

prevent

Requires validation of inputs to the Merge node's SQL Query mode to prevent unrestricted uploads of dangerous file types leading to filesystem writes and RCE.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict workflow creation and modification permissions, limiting low-privileged authenticated users from exploiting the vulnerability.

Security SummaryAI

CVE-2026-25056 is a high-severity vulnerability in n8n, an open source workflow automation platform. In versions prior to 1.118.0 and 2.4.0, the Merge node's SQL Query mode contains a flaw that enables authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server's filesystem. This can potentially lead to remote code execution, as classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-693 (Protection Mechanism Failure).

The vulnerability can be exploited by low-privileged authenticated users over the network with low attack complexity and no user interaction required. Exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful attacks hinge on the attacker's ability to manipulate workflows, turning legitimate workflow editing permissions into a path for filesystem manipulation and code execution.

n8n has addressed this issue in versions 1.118.0 and 2.4.0. Security practitioners should upgrade to these patched releases immediately. Additional details are available in the official advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm.

Details

CWE(s): CWE-434 CWE-693

Affected Products

n8n

≤ 1.118.0 · 2.0.0 — 2.4.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability in the n8n web application allows low-privileged authenticated remote users to write arbitrary files leading to RCE, directly enabling exploitation of a public-facing application (T1190) and exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm
Patch, Vendor Advisory · security-advisories@github.com