Main Vulnerability Database Vulnerabilities #VU122481

Improper Control of Dynamically-Managed Code Resources in n8n - CVE-2026-25049

Published: February 9, 2026

Vulnerability identifier: #VU122481

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-25049

CWE-ID: CWE-913

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: n8n

Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to an incomplete fix in the expression evaluation for #VU120269 (CVE-2025-68613). A remote user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.

How to mitigate CVE-2026-25049

Install updates from vendor's website.

Sources

https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8

Improper Control of Dynamically-Managed Code Resources in n8n - CVE-2026-25049

Detailed vulnerability description

How to mitigate CVE-2026-25049

Sources

Please verify you're human