AI Threat Alert

CVE-2026-25055: n8n: Path Traversal enables file access

HIGH
Published February 4, 2026
CISO Take

n8n, increasingly deployed as an AI agent orchestration layer for LLM pipelines and RAG ingestion workflows, contains a path traversal vulnerability in its SSH node that allows unauthenticated attackers to write files to arbitrary locations on remote servers — enabling RCE on downstream AI infrastructure. If your AI pipelines use n8n with SSH nodes and any unauthenticated file upload endpoints, treat this as urgent: patch to 1.123.12 (v1) or 2.4.0 (v2) immediately and audit exposed workflow endpoints.

What is the risk?

CVSS 8.1 High with Network attack vector and no privileges required, though High attack complexity (AC:H) provides partial mitigation — exploitation requires attacker knowledge of a specific workflow structure and an exposed unauthenticated upload endpoint. In AI/ML environments, n8n is frequently used to orchestrate file-processing pipelines connecting LLMs, RAG systems, and remote infrastructure over SSH, significantly amplifying blast radius: a single workflow compromise can pivot to full lateral movement across AI backend systems including model servers, vector databases, and training infrastructure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
8.1 / 10
EPSS
1.7%
chance of exploitation in 30 days
Higher than 74% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

1 step

  1. 1) Patch n8n to version 1.123.12 (v1 branch) or 2.4.0 (v2 branch) immediately — no known workaround substitutes for patching. 2) Audit all n8n workflows using the SSH node — identify any that accept externally-sourced files or filenames. 3) Require authentication on all file upload webhook endpoints; unauthenticated upload endpoints are a hard prerequisite for exploitation. 4) Implement server-side filename sanitization and path validation as defense-in-depth regardless of patch status. 5) Apply least-privilege SSH keys for n8n — restrict write permissions on remote targets to specific designated directories only. 6) Monitor SSH transfers in your SIEM for path traversal patterns in filenames (sequences containing '../' or absolute paths) as a detection indicator.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Agent Framework AML.T0049 AML.T0050 AML.T0053 AML.T0072 AML.T0081 AML.T0099 AML.T0108

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk Management System
ISO 42001
A.6.2.3 - AI system security controls A.6.2.6 - AI System Security
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems MANAGE-2.2 - Mechanisms are in place to sustain governance of AI risk
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-25055?

n8n, increasingly deployed as an AI agent orchestration layer for LLM pipelines and RAG ingestion workflows, contains a path traversal vulnerability in its SSH node that allows unauthenticated attackers to write files to arbitrary locations on remote servers — enabling RCE on downstream AI infrastructure. If your AI pipelines use n8n with SSH nodes and any unauthenticated file upload endpoints, treat this as urgent: patch to 1.123.12 (v1) or 2.4.0 (v2) immediately and audit exposed workflow endpoints.

Is CVE-2026-25055 actively exploited?

No confirmed active exploitation of CVE-2026-25055 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25055?

1) Patch n8n to version 1.123.12 (v1 branch) or 2.4.0 (v2 branch) immediately — no known workaround substitutes for patching. 2) Audit all n8n workflows using the SSH node — identify any that accept externally-sourced files or filenames. 3) Require authentication on all file upload webhook endpoints; unauthenticated upload endpoints are a hard prerequisite for exploitation. 4) Implement server-side filename sanitization and path validation as defense-in-depth regardless of patch status. 5) Apply least-privilege SSH keys for n8n — restrict write permissions on remote targets to specific designated directories only. 6) Monitor SSH transfers in your SIEM for path traversal patterns in filenames (sequences containing '../' or absolute paths) as a detection indicator.

What systems are affected by CVE-2026-25055?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, workflow automation pipelines, RAG pipelines, training pipelines, model serving.

What is the CVSS score for CVE-2026-25055?

CVE-2026-25055 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 1.71%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksworkflow automation pipelinesRAG pipelinestraining pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell
AML.T0081 Modify AI Agent Configuration
AML.T0099 AI Agent Tool Data Poisoning
AML.T0108 AI Agent

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.2.3, A.6.2.6
NIST AI RMF: MANAGE 2.2, MANAGE-2.2
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0.

Exploitation Scenario

An adversary conducting reconnaissance discovers an organization's AI document ingestion pipeline built on n8n with an unauthenticated HTTP webhook that accepts file uploads — a common pattern in RAG document ingestion workflows. The attacker uploads a malicious file with a crafted filename such as '../../home/ubuntu/.ssh/authorized_keys' containing their public SSH key. The n8n SSH node transfers the file to the remote AI infrastructure host without validating the filename, writing the attacker's public key to the authorized_keys file. The attacker then authenticates directly to the AI backend server via SSH, gaining full shell access to model servers, training infrastructure, or vector databases connected downstream in the pipeline.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 4, 2026
Last Modified
February 5, 2026
First Seen
February 4, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed