AI Threat Alert AI Threat Alert

CVE-2026-25056: n8n: Arbitrary File Upload enables RCE

HIGH
Published February 4, 2026
CISO Take

If your organization uses n8n for AI agent orchestration or workflow automation, treat this as critical regardless of the CVSS 8.8 rating — any authenticated user with workflow edit permissions can write arbitrary files to the server filesystem and achieve RCE. Patch immediately to n8n 1.118.0 or 2.4.0; if patching is delayed, restrict workflow creation and modification permissions to a minimal set of trusted users and audit existing workflows for Merge node SQL Query usage.

Risk Assessment

High exploitability (CVSS 8.8, network-accessible, low complexity, no user interaction required) combined with broad organizational exposure — n8n is increasingly deployed as the orchestration backbone for AI agent pipelines, connecting LLMs to internal tools, databases, and APIs. A compromised n8n server provides an adversary with lateral movement opportunities across every system the platform integrates with, including AI models, RAG datastores, and enterprise data sources. The attack requires only a valid low-privilege account, which is a low bar in multi-user n8n deployments.

Affected Systems

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
186.5K OpenSSF 6.0 16 dependents Pushed 7d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 41% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. PATCH

    Update n8n to version 1.118.0 (v1 branch) or 2.4.0 (v2 branch) immediately.

  2. DETECT

    Audit workflow logs and definitions for Merge nodes configured in SQL Query mode — query your n8n database for workflows containing this node type.

  3. RESTRICT

    Apply least-privilege to workflow creation and modification permissions; only trusted users should be able to create or modify workflows.

  4. MONITOR

    Alert on unexpected file creation events in the n8n server filesystem, particularly in web root directories, temp folders, or application directories.

  5. INVENTORY

    Enumerate all credentials and API keys stored in n8n workflows and rotate any that may have been exposed post-incident.

  6. NETWORK

    Place n8n behind a VPN or internal-only access policy; it should not be internet-exposed without strong authentication controls.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Data Extraction Agent Framework Plugin AML.T0012 AML.T0049 AML.T0050 AML.T0053 AML.T0072 AML.T0081 AML.T0083 AML.T0108

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2 - AI System Lifecycle — Development and Acquisition A.6.2.6 - AI system security and resilience A.9.4 - AI System Security
NIST AI RMF
GOVERN-1.7 - AI Risk Policies and Procedures MANAGE-2.2 - Risk Treatment
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities LLM06:2025 - Excessive Agency LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-25056?

If your organization uses n8n for AI agent orchestration or workflow automation, treat this as critical regardless of the CVSS 8.8 rating — any authenticated user with workflow edit permissions can write arbitrary files to the server filesystem and achieve RCE. Patch immediately to n8n 1.118.0 or 2.4.0; if patching is delayed, restrict workflow creation and modification permissions to a minimal set of trusted users and audit existing workflows for Merge node SQL Query usage.

Is CVE-2026-25056 actively exploited?

No confirmed active exploitation of CVE-2026-25056 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25056?

1. PATCH: Update n8n to version 1.118.0 (v1 branch) or 2.4.0 (v2 branch) immediately. 2. DETECT: Audit workflow logs and definitions for Merge nodes configured in SQL Query mode — query your n8n database for workflows containing this node type. 3. RESTRICT: Apply least-privilege to workflow creation and modification permissions; only trusted users should be able to create or modify workflows. 4. MONITOR: Alert on unexpected file creation events in the n8n server filesystem, particularly in web root directories, temp folders, or application directories. 5. INVENTORY: Enumerate all credentials and API keys stored in n8n workflows and rotate any that may have been exposed post-incident. 6. NETWORK: Place n8n behind a VPN or internal-only access policy; it should not be internet-exposed without strong authentication controls.

What systems are affected by CVE-2026-25056?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, LLM tool integration platforms, RAG pipelines.

What is the CVSS score for CVE-2026-25056?

CVE-2026-25056 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.19%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server's filesystem potentially leading to remote code execution. This issue has been patched in versions 1.118.0 and 2.4.0.

Exploitation Scenario

An adversary with a low-privilege n8n account — obtained through phishing a developer, credential stuffing, or insider access — creates or modifies a workflow containing a Merge node configured in SQL Query mode. By crafting a malicious SQL query payload, they write a web shell or malicious script to a writable directory on the n8n server filesystem. If n8n is deployed with write access to a web-served directory, the shell becomes immediately accessible. In AI-specific contexts, the attacker can overwrite n8n workflow configuration files to inject malicious tool definitions into existing AI agent workflows, causing the agent to exfiltrate data or execute adversary-controlled commands every time a legitimate user triggers the workflow. This creates a persistent, stealthy compromise of the entire AI agent orchestration layer without requiring any further user interaction.

Weaknesses (CWE)

CWE-434 Primary CWE-693 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 4, 2026
Last Modified
February 5, 2026
First Seen
February 4, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed