Find notable cyber news and cases, enriched with sources, timelines, and signals.

N8n 2.4.0 security update for sandbox-escape flaw (CVE-2026-25049)

Security Patch Release
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

n8n released version 2.4.0 on January 12, 2026, fixing a sandbox-escape bypass that could let authenticated workflow editors achieve remote code execution on affected servers. The update came after developers confirmed the bypass on December 30. Because the flaw could lead to full host compromise, the release is a security-critical update for exposed n8n deployments. Operators that cannot upgrade immediately should treat the vendor workaround as only a temporary mitigation.

Related Happenings

Fortinet security patch release for CVE-2026-39813

Security Patch Release
H score41 First: 16.06.2026 12:19 Last: 16.06.2026 12:19 Sources 1

About this happening: **Fortinet** released **April 14** security updates for **FortiSandbox**, covering **CVE-2026-39813**, **CVE-2026-39808**, and **CVE-2026-25089**. The patch release fixes **three...

SimpleHelp security update for CVE-2026-48558

Security Patch Release
H score65 First: 15.06.2026 23:06 Last: 15.06.2026 23:06 Sources 1

About this happening: **SimpleHelp** released **5.5.16** and **6.0 RC2** on **June 9** to fix **CVE-2026-48558**, a critical **OIDC** authentication flaw in **SimpleHelp remote management software** th...

LiteLLM endpoint-hardening patch release (CVE-2026-42271)

Security Patch Release
H score59 First: 09.06.2026 09:26 Last: 09.06.2026 09:26 Sources 1

About this happening: BerriAI released **LiteLLM 1.83.7**, hardening access to the vulnerable **MCP test endpoints** that accepted full server configurations. The update now requires the **PROXY_ADMIN*...

LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)

Security Patch Release
H score42 First: 27.05.2026 13:06 Last: 27.05.2026 13:06 Sources 1

About this happening: LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...

Latest development: 16.06.2026 13:47

CISA added CVE-2026-48172/CVE-2026-54420 in the LiteSpeed cPanel user-end plugin to the Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within three days under BOD 26-04. The affected plugin versions before 2.4.8 are described as actively exploited, with FTP or web shell access enabling root escalation on shared hosting servers running CloudLinux/CageFS.

Cisco Secure Workload REST API patch release (CVE-2026-20223)

Security Patch Release
H score55 First: 22.05.2026 08:36 Last: 22.05.2026 08:36 Sources 1

About this happening: Cisco patched **CVE-2026-20223**, a **CVSS 10.0** Secure Workload REST API flaw that could expose sensitive data and allow configuration changes across tenant boundaries. The upda...

Timeline

  1. 04.02.2026 23:14 1 articles · 5mo ago

    Researchers demonstrate a chained sandbox bypass in n8n

    Technical Analysis Update

    Researchers demonstrated to n8n maintainers that a chained bypass in the workflow-expression sandbox could escape to the Node.js global object and reach remote code execution on the n8n server for an authenticated workflow editor.

    Show sources
  2. 04.02.2026 23:14 1 articles · 5mo ago

    Initial n8n fix leaves a second escape path

    Mitigation Patch Update

    A fix was implemented for the n8n sandbox-escape issue, but further analysis showed the patch was incomplete and a second escape path using equivalent operations could still reach arbitrary code execution.

    Show sources
  3. 04.02.2026 23:14 1 articles · 5mo ago

    n8n confirms the bypass

    Technical Analysis Update

    n8n developers confirmed the bypass affecting the workflow-expression sandbox, validating that weak sanitization and AST-based sandboxing could still be used against the platform.

    Show sources
  4. 04.02.2026 23:14 1 articles · 5mo ago

    CVE-2026-25049 is publicly disclosed

    Initial Disclosure

    Researchers publicly disclosed CVE-2026-25049 in n8n, describing critical sanitization bypasses that enabled remote code execution, credential theft, filesystem access, pivoting into connected cloud and internal systems, and multi-tenant data exposure; they also noted no public exploitation reports and recommended upgrading to the fixed releases 1.123.17 and 2.5.2.

    Show sources