AI Threat Alert AI Threat Alert

CVE-2025-62726: n8n: security flaw enables exploitation

HIGH
Published October 30, 2025
CISO Take

Any n8n instance below 1.113.0 is a credential dump waiting to happen. An attacker with a low-privilege n8n account can host a malicious git repo with a poisoned pre-commit hook, trigger RCE the moment any workflow runs a Commit operation, and walk away with every API key, OAuth token, and database password stored in your automation platform. Patch to 1.113.0 immediately — if you cannot, rotate all n8n-stored credentials now and disable Git Node access.

Risk Assessment

HIGH risk in practice, warranting treatment as critical in AI automation environments. CVSS 8.8 with network-accessible, low-complexity, low-privilege exploitation and no meaningful user interaction barrier. The blast radius is disproportionate to the severity score: n8n environments aggregate credentials for every integrated service (cloud APIs, databases, SaaS tools, LLM providers). Organizations running n8n as an AI orchestration backbone should escalate to critical given the credential and lateral-movement exposure.

Affected Systems

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 32% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. IMMEDIATE

    Upgrade n8n to 1.113.0 or later — the only complete fix.

  2. DETECT

    Audit all workflows for Git Node usage; flag any that clone external or user-supplied repositories.

  3. RESTRICT

    Treat Git Node access as a privileged operation — limit who can create or modify workflows containing Git Nodes.

  4. ROTATE

    If patching is delayed, proactively rotate all credentials stored in n8n (API keys, OAuth tokens, DB passwords).

  5. ISOLATE

    Ensure n8n runs in a container with minimal host permissions, network egress restrictions, and no direct mount of sensitive host paths.

  6. MONITOR

    Alert on unexpected outbound connections and process spawning from the n8n process — a reverse shell will be the typical payload.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Data Extraction Agent Framework Plugin AML.T0010.001 AML.T0049 AML.T0050 AML.T0053 AML.T0072 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - AI supply chain security A.7.4 - Protection of AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain AI risk management
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-62726?

Any n8n instance below 1.113.0 is a credential dump waiting to happen. An attacker with a low-privilege n8n account can host a malicious git repo with a poisoned pre-commit hook, trigger RCE the moment any workflow runs a Commit operation, and walk away with every API key, OAuth token, and database password stored in your automation platform. Patch to 1.113.0 immediately — if you cannot, rotate all n8n-stored credentials now and disable Git Node access.

Is CVE-2025-62726 actively exploited?

No confirmed active exploitation of CVE-2025-62726 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-62726?

1. IMMEDIATE: Upgrade n8n to 1.113.0 or later — the only complete fix. 2. DETECT: Audit all workflows for Git Node usage; flag any that clone external or user-supplied repositories. 3. RESTRICT: Treat Git Node access as a privileged operation — limit who can create or modify workflows containing Git Nodes. 4. ROTATE: If patching is delayed, proactively rotate all credentials stored in n8n (API keys, OAuth tokens, DB passwords). 5. ISOLATE: Ensure n8n runs in a container with minimal host permissions, network egress restrictions, and no direct mount of sensitive host paths. 6. MONITOR: Alert on unexpected outbound connections and process spawning from the n8n process — a reverse shell will be the typical payload.

What systems are affected by CVE-2025-62726?

This vulnerability affects the following AI/ML architecture patterns: AI agent orchestration platforms, workflow automation pipelines, agent frameworks, LLM tool-use integrations, CI/CD automation with AI integration.

What is the CVSS score for CVE-2025-62726?

CVE-2025-62726 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.13%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution. This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. This vulnerability is fixed in 1.113.0.

Exploitation Scenario

Attacker registers a low-privilege account on a shared n8n instance (or compromises one via credential stuffing). They create a workflow that clones a GitHub repository they control — the repo contains a .git/hooks/pre-commit script with a reverse shell payload. The workflow is saved and triggered on a schedule or by a webhook. When n8n's Git Node executes the Commit operation against the cloned repository, the pre-commit hook fires inside n8n's runtime. The attacker receives a reverse shell, dumps n8n's encrypted credential store, and pivots to every API, database, and cloud service the automation platform touches — including any connected LLM providers, vector databases, or internal AI tools.

Weaknesses (CWE)

CWE-829

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
October 30, 2025
Last Modified
December 31, 2025
First Seen
October 30, 2025

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed