CVE-2026-25055 — HIGH (CVSS 8.1) AI Security Vulnerability

CISO Take

n8n, increasingly deployed as an AI agent orchestration layer for LLM pipelines and RAG ingestion workflows, contains a path traversal vulnerability in its SSH node that allows unauthenticated attackers to write files to arbitrary locations on remote servers — enabling RCE on downstream AI infrastructure. If your AI pipelines use n8n with SSH nodes and any unauthenticated file upload endpoints, treat this as urgent: patch to 1.123.12 (v1) or 2.4.0 (v2) immediately and audit exposed workflow endpoints.

Risk Assessment

CVSS 8.1 High with Network attack vector and no privileges required, though High attack complexity (AC:H) provides partial mitigation — exploitation requires attacker knowledge of a specific workflow structure and an exposed unauthenticated upload endpoint. In AI/ML environments, n8n is frequently used to orchestrate file-processing pipelines connecting LLMs, RAG systems, and remote infrastructure over SSH, significantly amplifying blast radius: a single workflow compromise can pivot to full lateral movement across AI backend systems including model servers, vector databases, and training infrastructure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 38% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

1 step

1) Patch n8n to version 1.123.12 (v1 branch) or 2.4.0 (v2 branch) immediately — no known workaround substitutes for patching. 2) Audit all n8n workflows using the SSH node — identify any that accept externally-sourced files or filenames. 3) Require authentication on all file upload webhook endpoints; unauthenticated upload endpoints are a hard prerequisite for exploitation. 4) Implement server-side filename sanitization and path validation as defense-in-depth regardless of patch status. 5) Apply least-privilege SSH keys for n8n — restrict write permissions on remote targets to specific designated directories only. 6) Monitor SSH transfers in your SIEM for path traversal patterns in filenames (sequences containing '../' or absolute paths) as a detection indicator.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration AML.T0099 - AI Agent Tool Data Poisoning AML.T0108 - AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk Management System

ISO 42001

A.6.2.3 - AI system security controls A.6.2.6 - AI System Security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems MANAGE-2.2 - Mechanisms are in place to sustain governance of AI risk

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-25055?

n8n, increasingly deployed as an AI agent orchestration layer for LLM pipelines and RAG ingestion workflows, contains a path traversal vulnerability in its SSH node that allows unauthenticated attackers to write files to arbitrary locations on remote servers — enabling RCE on downstream AI infrastructure. If your AI pipelines use n8n with SSH nodes and any unauthenticated file upload endpoints, treat this as urgent: patch to 1.123.12 (v1) or 2.4.0 (v2) immediately and audit exposed workflow endpoints.

Is CVE-2026-25055 actively exploited?

No confirmed active exploitation of CVE-2026-25055 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25055?

1) Patch n8n to version 1.123.12 (v1 branch) or 2.4.0 (v2 branch) immediately — no known workaround substitutes for patching. 2) Audit all n8n workflows using the SSH node — identify any that accept externally-sourced files or filenames. 3) Require authentication on all file upload webhook endpoints; unauthenticated upload endpoints are a hard prerequisite for exploitation. 4) Implement server-side filename sanitization and path validation as defense-in-depth regardless of patch status. 5) Apply least-privilege SSH keys for n8n — restrict write permissions on remote targets to specific designated directories only. 6) Monitor SSH transfers in your SIEM for path traversal patterns in filenames (sequences containing '../' or absolute paths) as a detection indicator.

What systems are affected by CVE-2026-25055?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, workflow automation pipelines, RAG pipelines, training pipelines, model serving.

What is the CVSS score for CVE-2026-25055?

CVE-2026-25055 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.17%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0.

Exploitation Scenario

An adversary conducting reconnaissance discovers an organization's AI document ingestion pipeline built on n8n with an unauthenticated HTTP webhook that accepts file uploads — a common pattern in RAG document ingestion workflows. The attacker uploads a malicious file with a crafted filename such as '../../home/ubuntu/.ssh/authorized_keys' containing their public SSH key. The n8n SSH node transfers the file to the remote AI infrastructure host without validating the filename, writing the attacker's public key to the authorized_keys file. The attacker then authenticates directly to the AI backend server via SSH, gaining full shell access to model servers, training infrastructure, or vector databases connected downstream in the pipeline.