CVE-2026-25055

HIGH

Published February 4, 2026

CISO Take

n8n, increasingly deployed as an AI agent orchestration layer for LLM pipelines and RAG ingestion workflows, contains a path traversal vulnerability in its SSH node that allows unauthenticated attackers to write files to arbitrary locations on remote servers — enabling RCE on downstream AI infrastructure. If your AI pipelines use n8n with SSH nodes and any unauthenticated file upload endpoints, treat this as urgent: patch to 1.123.12 (v1) or 2.4.0 (v2) immediately and audit exposed workflow endpoints.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
n8n	npm	—	No patch

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Moderate

Recommended Action

1) Patch n8n to version 1.123.12 (v1 branch) or 2.4.0 (v2 branch) immediately — no known workaround substitutes for patching. 2) Audit all n8n workflows using the SSH node — identify any that accept externally-sourced files or filenames. 3) Require authentication on all file upload webhook endpoints; unauthenticated upload endpoints are a hard prerequisite for exploitation. 4) Implement server-side filename sanitization and path validation as defense-in-depth regardless of patch status. 5) Apply least-privilege SSH keys for n8n — restrict write permissions on remote targets to specific designated directories only. 6) Monitor SSH transfers in your SIEM for path traversal patterns in filenames (sequences containing '../' or absolute paths) as a detection indicator.

Classification

Code Execution Auth Bypass Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration AML.T0099 - AI Agent Tool Data Poisoning AML.T0108 - AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk Management System

ISO 42001

A.6.2.3 - AI system security controls A.6.2.6 - AI System Security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems MANAGE-2.2 - Mechanisms are in place to sustain governance of AI risk

OWASP LLM Top 10

LLM08 - Excessive Agency

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0.

Exploitation Scenario

An adversary conducting reconnaissance discovers an organization's AI document ingestion pipeline built on n8n with an unauthenticated HTTP webhook that accepts file uploads — a common pattern in RAG document ingestion workflows. The attacker uploads a malicious file with a crafted filename such as '../../home/ubuntu/.ssh/authorized_keys' containing their public SSH key. The n8n SSH node transfers the file to the remote AI infrastructure host without validating the filename, writing the attacker's public key to the authorized_keys file. The attacker then authenticates directly to the AI backend server via SSH, gaining full shell access to model servers, training infrastructure, or vector databases connected downstream in the pipeline.

Weaknesses (CWE)

CWE-22 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9
Patch Vendor

Timeline

Published

February 4, 2026

Last Modified

February 5, 2026

First Seen

February 4, 2026

Back to Threat Feed