N8n 2.4.0 security update for sandbox-escape flaw (CVE-2026-25049)
Security Patch Release
Summary
Hide ▲
Show ▼
n8n released version 2.4.0 on January 12, 2026, fixing a sandbox-escape bypass that could let authenticated workflow editors achieve remote code execution on affected servers. The update came after developers confirmed the bypass on December 30. Because the flaw could lead to full host compromise, the release is a security-critical update for exposed n8n deployments. Operators that cannot upgrade immediately should treat the vendor workaround as only a temporary mitigation.
Related Happenings
Fortinet security patch release for CVE-2026-39813
Security Patch Release
H score41
First: 16.06.2026 12:19
Last: 16.06.2026 12:19
Sources 1
About this happening:
**Fortinet** released **April 14** security updates for **FortiSandbox**, covering **CVE-2026-39813**, **CVE-2026-39808**, and **CVE-2026-25089**. The patch release fixes **three...
Fortinet security patch release for CVE-2026-39813
Security Patch ReleaseAbout this happening: **Fortinet** released **April 14** security updates for **FortiSandbox**, covering **CVE-2026-39813**, **CVE-2026-39808**, and **CVE-2026-25089**. The patch release fixes **three...
SimpleHelp security update for CVE-2026-48558
Security Patch Release
H score65
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
About this happening:
**SimpleHelp** released **5.5.16** and **6.0 RC2** on **June 9** to fix **CVE-2026-48558**, a critical **OIDC** authentication flaw in **SimpleHelp remote management software** th...
SimpleHelp security update for CVE-2026-48558
Security Patch ReleaseAbout this happening: **SimpleHelp** released **5.5.16** and **6.0 RC2** on **June 9** to fix **CVE-2026-48558**, a critical **OIDC** authentication flaw in **SimpleHelp remote management software** th...
LiteLLM endpoint-hardening patch release (CVE-2026-42271)
Security Patch Release
H score59
First: 09.06.2026 09:26
Last: 09.06.2026 09:26
Sources 1
About this happening:
BerriAI released **LiteLLM 1.83.7**, hardening access to the vulnerable **MCP test endpoints** that accepted full server configurations. The update now requires the **PROXY_ADMIN*...
LiteLLM endpoint-hardening patch release (CVE-2026-42271)
Security Patch ReleaseAbout this happening: BerriAI released **LiteLLM 1.83.7**, hardening access to the vulnerable **MCP test endpoints** that accepted full server configurations. The update now requires the **PROXY_ADMIN*...
LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)
Security Patch Release
H score42
First: 27.05.2026 13:06
Last: 27.05.2026 13:06
Sources 1
About this happening:
LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...
LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)
Security Patch ReleaseAbout this happening: LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...
Latest development: 16.06.2026 13:47
CISA added CVE-2026-48172/CVE-2026-54420 in the LiteSpeed cPanel user-end plugin to the Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within three days under BOD 26-04. The affected plugin versions before 2.4.8 are described as actively exploited, with FTP or web shell access enabling root escalation on shared hosting servers running CloudLinux/CageFS.
Cisco Secure Workload REST API patch release (CVE-2026-20223)
Security Patch Release
H score55
First: 22.05.2026 08:36
Last: 22.05.2026 08:36
Sources 1
About this happening:
Cisco patched **CVE-2026-20223**, a **CVSS 10.0** Secure Workload REST API flaw that could expose sensitive data and allow configuration changes across tenant boundaries. The upda...
Cisco Secure Workload REST API patch release (CVE-2026-20223)
Security Patch ReleaseAbout this happening: Cisco patched **CVE-2026-20223**, a **CVSS 10.0** Secure Workload REST API flaw that could expose sensitive data and allow configuration changes across tenant boundaries. The upda...
Timeline
-
04.02.2026 23:14 1 articles · 5mo ago
Researchers demonstrate a chained sandbox bypass in n8n
Technical Analysis UpdateResearchers demonstrated to n8n maintainers that a chained bypass in the workflow-expression sandbox could escape to the Node.js global object and reach remote code execution on the n8n server for an authenticated workflow editor.
Show sources
- Critical n8n flaws disclosed along with public exploits — www.bleepingcomputer.com — 04.02.2026 23:14
-
04.02.2026 23:14 1 articles · 5mo ago
Initial n8n fix leaves a second escape path
Mitigation Patch UpdateA fix was implemented for the n8n sandbox-escape issue, but further analysis showed the patch was incomplete and a second escape path using equivalent operations could still reach arbitrary code execution.
Show sources
- Critical n8n flaws disclosed along with public exploits — www.bleepingcomputer.com — 04.02.2026 23:14
-
04.02.2026 23:14 1 articles · 5mo ago
n8n confirms the bypass
Technical Analysis Updaten8n developers confirmed the bypass affecting the workflow-expression sandbox, validating that weak sanitization and AST-based sandboxing could still be used against the platform.
Show sources
- Critical n8n flaws disclosed along with public exploits — www.bleepingcomputer.com — 04.02.2026 23:14
-
04.02.2026 23:14 2 articles · 5mo ago
n8n releases version 2.4.0
Mitigation Patch Updaten8n released version 2.4.0 to address CVE-2026-25049, closing the bypass that let authenticated workflow editors escape the sandbox and take over affected servers.
Show sources
- Critical n8n flaws disclosed along with public exploits — www.bleepingcomputer.com — 04.02.2026 23:14
- Critical n8n flaws disclosed along with public exploits — www.bleepingcomputer.com — 04.02.2026 23:14
-
04.02.2026 23:14 1 articles · 5mo ago
CVE-2026-25049 is publicly disclosed
Initial DisclosureResearchers publicly disclosed CVE-2026-25049 in n8n, describing critical sanitization bypasses that enabled remote code execution, credential theft, filesystem access, pivoting into connected cloud and internal systems, and multi-tenant data exposure; they also noted no public exploitation reports and recommended upgrading to the fixed releases 1.123.17 and 2.5.2.
Show sources
- Critical n8n flaws disclosed along with public exploits — www.bleepingcomputer.com — 04.02.2026 23:14