AI Threat Alert
CVE-2025-57749: n8n: symlink traversal enables arbitrary file read/write
MEDIUMSelf-hosted n8n instances before 1.106.0 allow any authenticated workflow user to read or write arbitrary files on the host by chaining the Execute Command and Read/Write File nodes via symlinks. In AI pipeline contexts this directly exposes LLM API keys, RAG database credentials, and model configs stored on the host. Update to 1.106.0 immediately; if patching is not possible today, restrict Execute Command and Read/Write File node access to trusted users only and isolate n8n with minimal filesystem mounts.
What is the risk?
CVSS 6.5 (Medium) understates operational risk for organizations running self-hosted n8n as an AI workflow orchestrator. Low complexity and low privilege requirements mean any authenticated workflow editor can exploit this without specialized knowledge. The attack surface expands significantly when the n8n host stores sensitive AI stack credentials—OpenAI/Anthropic API keys, vector DB passwords, database URIs—in local files or environment stores. n8n.cloud is explicitly unaffected; risk is isolated to self-hosted deployments.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | — | No patch |
Do you use n8n? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Patch: Update n8n to version 1.106.0 or later immediately — this is the only complete fix.
-
Access control: Restrict Execute Command and Read/Write File node usage to a minimum set of trusted users; audit current workflow permissions for unexpected access.
-
Containment: Run n8n in a container with a minimal read-only filesystem bind mount; avoid mounting the host root or home directories.
-
Secrets hygiene: Move all credentials (LLM API keys, DB passwords) out of local files and into a secrets manager (HashiCorp Vault, AWS Secrets Manager); ensure .env files are not present on the n8n host filesystem.
-
Detection: Review n8n workflow execution logs for Execute Command node invocations creating symlinks (ln -s); alert on Read/Write File node operations resolving paths outside expected working directories.
-
Verify exposure: Inventory what sensitive files exist on the n8n host filesystem that could be read by a low-privileged workflow user.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-57749?
Self-hosted n8n instances before 1.106.0 allow any authenticated workflow user to read or write arbitrary files on the host by chaining the Execute Command and Read/Write File nodes via symlinks. In AI pipeline contexts this directly exposes LLM API keys, RAG database credentials, and model configs stored on the host. Update to 1.106.0 immediately; if patching is not possible today, restrict Execute Command and Read/Write File node access to trusted users only and isolate n8n with minimal filesystem mounts.
Is CVE-2025-57749 actively exploited?
No confirmed active exploitation of CVE-2025-57749 has been reported, but organizations should still patch proactively.
How to fix CVE-2025-57749?
1. Patch: Update n8n to version 1.106.0 or later immediately — this is the only complete fix. 2. Access control: Restrict Execute Command and Read/Write File node usage to a minimum set of trusted users; audit current workflow permissions for unexpected access. 3. Containment: Run n8n in a container with a minimal read-only filesystem bind mount; avoid mounting the host root or home directories. 4. Secrets hygiene: Move all credentials (LLM API keys, DB passwords) out of local files and into a secrets manager (HashiCorp Vault, AWS Secrets Manager); ensure .env files are not present on the n8n host filesystem. 5. Detection: Review n8n workflow execution logs for Execute Command node invocations creating symlinks (ln -s); alert on Read/Write File node operations resolving paths outside expected working directories. 6. Verify exposure: Inventory what sensitive files exist on the n8n host filesystem that could be read by a low-privileged workflow user.
What systems are affected by CVE-2025-57749?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration pipelines, RAG pipelines, training pipelines, model serving.
What is the CVSS score for CVE-2025-57749?
CVE-2025-57749 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.45%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0037 Data from Local System AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0055 Unsecured Credentials AML.T0083 Credentials from AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
n8n is a workflow automation platform. Before 1.106.0, a symlink traversal vulnerability was discovered in the Read/Write File node in n8n. While the node attempts to restrict access to sensitive directories and files, it does not properly account for symbolic links (symlinks). An attacker with the ability to create symlinks—such as by using the Execute Command node—could exploit this to bypass the intended directory restrictions and read from or write to otherwise inaccessible paths. Users of n8n.cloud are not impacted. Affected users should update to version 1.106.0 or later.
Exploitation Scenario
An attacker with low-privilege workflow editing access in a self-hosted n8n AI automation environment creates a new workflow. Using the Execute Command node, they run: `ln -s /home/appuser/.env /tmp/n8n-files/env_link` — creating a symlink from a permitted directory to the sensitive target. They then trigger the Read File node with the symlink path, which resolves the symlink and returns the contents of the restricted file, bypassing the intended directory check. The attacker captures OpenAI API keys, Anthropic API keys, Pinecone/Weaviate credentials, or database connection strings. These credentials then enable lateral movement into the broader AI infrastructure — compromising model inference APIs, poisoning vector databases, or incurring unbounded API costs. The entire exploit chain requires only standard n8n workflow nodes and a few minutes to execute.
Weaknesses (CWE)
CWE-59 — Improper Link Resolution Before File Access ('Link Following'): The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
- [Architecture and Design] Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2026-33663 10.0 n8n: member role steals plaintext HTTP credentials
Same package: n8n CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same package: n8n CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same package: n8n CVE-2026-27577 9.9 n8n: Code Injection enables RCE
Same package: n8n CVE-2026-27494 9.9 n8n: security flaw enables exploitation
Same package: n8n