CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Multiple Critical n8n Workflow Automation Vulnerabilities (CVE-2025-68613, CVE-2025-68668, CVE-2026-21877, CVE-2026-21858)

First reported
Last updated
3 unique sources, 12 articles

Summary

Hide ▲

Multiple critical vulnerabilities in the n8n workflow automation platform continue to pose severe risks, with the latest flaw, **CVE-2026-25049 (CVSS 9.4)**, enabling authenticated users to execute arbitrary system commands via malicious workflows. This vulnerability bypasses earlier patches for CVE-2025-68613 and stems from inadequate sanitization in n8n’s expression evaluation, allowing attackers to exploit TypeScript’s compile-time type system mismatches with JavaScript’s runtime behavior. Successful exploitation can lead to server compromise, credential theft, and persistent backdoor installation, with heightened risk when paired with n8n’s public webhook feature. The vulnerabilities collectively affect over **105,000 exposed instances**, primarily in the U.S. and Europe, and impact both self-hosted and cloud deployments. Earlier flaws—including **CVE-2026-21877 (CVSS 10.0)**, **CVE-2026-21858 (CVSS 10.0)**, and sandbox escape vulnerabilities **CVE-2026-1470 (CVSS 9.9)** and **CVE-2026-0863 (CVSS 8.5)**—have already demonstrated the potential for full server takeover, AI workflow hijacking, and exposure of sensitive credentials (API keys, OAuth tokens, database passwords). Patches are available in versions **1.123.17, 2.4.5, 2.5.1, and 2.5.2**, but unpatched systems remain at critical risk. Users are urged to **upgrade immediately**, restrict workflow permissions, and harden deployment environments to mitigate exposure.

Timeline

  1. 04.02.2026 23:14 2 articles · 1d ago

    Critical n8n vulnerabilities (CVE-2026-25049) disclosed with public exploits

    Multiple critical vulnerabilities in n8n, collectively tracked as **CVE-2026-25049 (CVSS 9.4)**, stem from inadequate sanitization mechanisms that bypass patches for CVE-2025-68613. The flaw allows **authenticated users with workflow creation/modification permissions** to execute arbitrary system commands via crafted expressions in workflow parameters, exploiting a **mismatch between TypeScript’s compile-time type system and JavaScript’s runtime behavior**. Attackers can bypass sanitization by passing non-string values (e.g., objects, arrays) at runtime. The vulnerability affects versions **<1.123.17 and <2.5.2**, with fixes released in **1.123.17 and 2.5.2**. Researchers from **SecureLayer7, Pillar Security, and Endor Labs** demonstrated exploits where a **publicly accessible webhook** in a malicious workflow enables remote command execution, server compromise, and credential theft (API keys, OAuth tokens, database passwords). The risk escalates when combined with n8n’s webhook feature, allowing unauthenticated remote triggering. Ten security researchers, including **Fatih Çelik, Cris Staicu, Eilon Cohen, and Sandeep Kamble**, are credited with discovering the flaw. Users are advised to **upgrade to patched versions**, restrict workflow permissions to trusted users, and deploy n8n in hardened environments with limited OS privileges. Temporary mitigations include auditing workflows for suspicious expressions and rotating encryption keys/credentials.

    Show sources
    Open in new tab
  2. 04.02.2026 15:00 2 articles · 1d ago

    Two Critical Flaws in n8n AI Workflow Automation Platform Allow Complete Takeover

    Researchers at Pillar Security have found two maximum severity vulnerabilities (CVSS score of 10.0) in n8n, a popular open-source workflow automation platform powering hundreds of thousands of enterprise AI systems worldwide. The flaws are sandbox escape vulnerabilities which, when exploited, allow any authenticated user to achieve complete server control and steal any stored credential, including API keys, cloud provider keys, database passwords, and OAuth tokens on both self-hosted and cloud n8n instances. The first flaw was reported by Pillar Security to n8n maintainers, who released a patch, but a second vulnerability bypassing the fix was discovered 24 hours after initial patch was deployed. n8n released a new patched version, version 2.4.0, with fixes for both vulnerabilities, in January 2026. The Pillar Security advisory addressing both flaws has a GitHub vulnerability identifier, GHSA-6cqr-8cfr-67f8, but the firm did not reveal the CVE identifier for either of the vulnerabilities. The Pillar Security researchers noted that companies using n8n for AI orchestration face credential exposure when using OpenAI, Anthropic, Azure OpenAI, and Hugging Face as well as vector database access (e.g., Pinecone, Weaviate, Qdrant). Attackers who successfully exploit either of these flaws can intercept AI prompts, modify AI responses, redirect traffic through attacker-controlled endpoints, and exfiltrate sensitive data from AI interactions. Additionally, on n8n cloud, a single compromised user could potentially access shared infrastructure and other customers' data within the Kubernetes cluster.

    Show sources
    Open in new tab
  3. 28.01.2026 14:43 4 articles · 8d ago

    Two High-Severity n8n Flaws Allow Authenticated Remote Code Execution

    The article provides detailed information on two new vulnerabilities affecting the n8n workflow automation platform, tracked as CVE-2026-1470 and CVE-2026-0863. These flaws, discovered by the JFrog Security Research team, allow authenticated attackers to bypass sandbox mechanisms and achieve remote code execution. The article explains the technical details of the vulnerabilities, including how they can be exploited to run arbitrary commands on systems hosting vulnerable n8n instances. Users are advised to upgrade to the latest patched versions to address these flaws. The article also highlights the difficulty in safely sandboxing dynamic, high-level languages such as JavaScript and Python, emphasizing that even with multiple validation layers, deny lists, and AST-based controls in place, subtle language features and runtime behaviors can be leveraged to bypass security assumptions. The n8n cloud platform has addressed the issues, and only self-hosted versions running a vulnerable release are affected. Researcher Rhoda Smart promised to add a proof-of-concept exploit in a technical blog post, which could prompt attackers to hunt for and target self-hosted n8n deployments.

    Show sources
    Open in new tab
  4. 07.01.2026 15:48 7 articles · 29d ago

    Critical Unauthenticated RCE Vulnerability (CVE-2026-21858) Disclosed

    The article provides detailed information on the Ni8mare vulnerability (CVE-2026-21858) in the n8n workflow automation platform. It highlights the severity of the flaw, which allows unauthenticated remote attackers to gain complete control over susceptible instances. The article also explains the technical details of the vulnerability, including how it relates to the webhooks that start workflows in n8n and the parsing of incoming data based on the 'content-type' header. It emphasizes the potential impact of the vulnerability, which could enable attackers to access sensitive information and compromise enterprise secrets. The article also notes that there are no official workarounds available for Ni8mare, with users urged to upgrade to version 1.121.0 or later to remediate. Over 105,753 unpatched instances of n8n were found exposed online, with 59,558 still exposed on Sunday. More than 28,000 IPs were found in the United States and over 21,000 in Europe. The Pillar Security advisory addressing both flaws has a GitHub vulnerability identifier, GHSA-6cqr-8cfr-67f8, but the CVE identifier for either of the vulnerabilities was not revealed. The vulnerabilities allow authenticated users to achieve complete server control and steal stored credentials, including API keys, cloud provider keys, database passwords, and OAuth tokens. The first flaw was reported by Pillar Security to n8n maintainers, who released a patch, but a second vulnerability bypassing the fix was discovered 24 hours after the initial patch was deployed. n8n released a new patched version, version 2.4.0, with fixes for both vulnerabilities, in January 2026. Companies using n8n for AI orchestration face credential exposure when using OpenAI, Anthropic, Azure OpenAI, and Hugging Face as well as vector database access (e.g., Pinecone, Weaviate, Qdrant). Attackers who exploit these flaws can intercept AI prompts, modify AI responses, redirect traffic through attacker-controlled endpoints, and exfiltrate sensitive data from AI interactions. On n8n cloud, a single compromised user could potentially access shared infrastructure and other customers' data within the Kubernetes cluster. Pillar Security recommended upgrading to n8n version 2.4.0 or later, rotating the encryption key and all credentials, auditing workflows, and monitoring AI workflows for unusual patterns.

    Show sources
    Open in new tab
  5. 07.01.2026 13:26 4 articles · 29d ago

    New CVSS 10.0 RCE Vulnerability (CVE-2026-21877) Disclosed

    A new maximum-severity vulnerability (CVSS 10.0, CVE-2026-21877) has been discovered in n8n, affecting versions >= 0.123.0 and < 1.121.3. This flaw has been patched in version 1.121.3, released in November 2025. Both self-hosted and n8n Cloud instances are impacted. Users are advised to upgrade to the latest version or implement mitigations such as disabling the Git node and limiting access for untrusted users.

    Show sources
    Open in new tab
  6. 23.12.2025 09:34 4 articles · 1mo ago

    Critical n8n Vulnerability (CVE-2025-68613) Disclosed

    A critical vulnerability in n8n workflow automation platform, tracked as CVE-2025-68613, has been disclosed. The flaw, with a CVSS score of 9.9, affects versions 0.211.0 to 1.120.4 and has been patched in versions 1.120.4, 1.121.1, and 1.122.0. Over 103,000 instances are potentially vulnerable, with a significant number located in the U.S., Germany, France, Brazil, and Singapore. The vulnerability allows authenticated users to execute arbitrary code with the privileges of the n8n process, potentially leading to full compromise of the affected instance, unauthorized data access, and system-level operations. Users are advised to apply patches immediately or implement mitigations such as restricting workflow permissions and deploying n8n in a hardened environment.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Metro4Shell RCE Flaw Exploited in React Native CLI npm Package

Threat actors are actively exploiting a critical remote code execution (RCE) flaw (CVE-2025-11953, CVSS 9.8) in the Metro Development Server within the @react-native-community/cli npm package. First observed on December 21, 2025, the vulnerability allows unauthenticated attackers to execute arbitrary OS commands. Exploits deliver a PowerShell script that disables Microsoft Defender exclusions and downloads a Rust-based binary with anti-analysis features from an attacker-controlled host. The attacks originate from multiple IP addresses and indicate operational use rather than experimental probing.

Open in new tab

OpenClaw Token Exfiltration Vulnerability Enables One-Click RCE

A high-severity vulnerability (CVE-2026-25253, CVSS 8.8) in OpenClaw, an open-source AI assistant, allows remote code execution via a malicious link. The flaw enables token exfiltration and full gateway compromise. The issue was patched in version 2026.1.29 released on January 30, 2026. The vulnerability arises because the Control UI trusts the gatewayUrl parameter without validation, auto-connecting and sending the stored gateway token in the WebSocket connect payload. This allows an attacker to connect to the victim's local gateway, modify configurations, and execute privileged actions. OpenClaw integrates with various messaging platforms and has gained rapid popularity, with its GitHub repository crossing 149,000 stars. The vulnerability can be exploited to achieve one-click RCE by visiting a malicious web page, leveraging cross-site WebSocket hijacking due to the lack of origin header validation.

Open in new tab

OpenClaw AI Agent Security Concerns in Business Environments

OpenClaw, an open-source AI agent formerly known as MoltBot and ClawdBot, has rapidly gained popularity on GitHub, raising significant security concerns due to its extensive access to user systems and data. The AI agent can execute commands, manage files, and interact with various platforms, posing risks such as prompt injection and unauthorized access. Despite its growth, security experts warn about the dangers of integrating such AI agents into corporate environments without proper safeguards. The project has seen a 14-fold increase in adoption within a week, with over 113,000 stars on GitHub. However, its rapid development and extensive access capabilities have led to concerns about potential data breaches and supply chain risks. Experts emphasize the need for better security practices to mitigate these risks.

Open in new tab

Critical sandbox escape flaw in vm2 NodeJS library

A critical-severity vulnerability (CVE-2026-22709) in the vm2 Node.js sandbox library allows escaping the sandbox and executing arbitrary code on the host system. The flaw arises from improper sanitization of Promises, enabling attackers to bypass sandbox restrictions. The vulnerability affects versions prior to 3.10.2 and has been partially addressed in subsequent updates. The vm2 library, widely used in SaaS platforms and open-source projects, was discontinued in 2023 due to repeated sandbox-escape vulnerabilities but was resurrected in 2025. The vulnerability is trivial to exploit, and users are advised to upgrade to the latest version (3.10.3) to mitigate the risk. The vulnerability carries a CVSS score of 9.8 out of 10.0, highlighting its criticality. The maintainer has acknowledged that new bypasses will likely be discovered in the future, urging users to keep the library up to date and consider alternatives like isolated-vm for stronger isolation guarantees.

Open in new tab

Chainlit Framework Vulnerabilities Expose AI Application Infrastructure

Two high-severity vulnerabilities in the Chainlit framework, tracked as CVE-2026-22218 and CVE-2026-22219, allow authenticated users to read arbitrary files and perform server-side request forgery (SSRF), potentially exposing sensitive data and cloud resources. These vulnerabilities, collectively dubbed ChainLeak by Zafran Security, were responsibly disclosed on November 23, 2025, and patched on December 24, 2025, with the release of Chainlit version 2.9.4. Chainlit, widely used for building conversational AI applications, has seen significant adoption with over 7.3 million downloads to date, including 220,000 in the past week alone. The vulnerabilities highlight the risks posed by traditional web flaws in AI application environments, particularly in enterprise deployments and academic institutions.

Open in new tab