AI Threat Alert

CVE-2026-25056: n8n: Arbitrary File Upload enables RCE

HIGH
Published February 4, 2026
CISO Take

If your organization uses n8n for AI agent orchestration or workflow automation, treat this as critical regardless of the CVSS 8.8 rating — any authenticated user with workflow edit permissions can write arbitrary files to the server filesystem and achieve RCE. Patch immediately to n8n 1.118.0 or 2.4.0; if patching is delayed, restrict workflow creation and modification permissions to a minimal set of trusted users and audit existing workflows for Merge node SQL Query usage.

What is the risk?

High exploitability (CVSS 8.8, network-accessible, low complexity, no user interaction required) combined with broad organizational exposure — n8n is increasingly deployed as the orchestration backbone for AI agent pipelines, connecting LLMs to internal tools, databases, and APIs. A compromised n8n server provides an adversary with lateral movement opportunities across every system the platform integrates with, including AI models, RAG datastores, and enterprise data sources. The attack requires only a valid low-privilege account, which is a low bar in multi-user n8n deployments.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 47% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Update n8n to version 1.118.0 (v1 branch) or 2.4.0 (v2 branch) immediately.

  2. DETECT

    Audit workflow logs and definitions for Merge nodes configured in SQL Query mode — query your n8n database for workflows containing this node type.

  3. RESTRICT

    Apply least-privilege to workflow creation and modification permissions; only trusted users should be able to create or modify workflows.

  4. MONITOR

    Alert on unexpected file creation events in the n8n server filesystem, particularly in web root directories, temp folders, or application directories.

  5. INVENTORY

    Enumerate all credentials and API keys stored in n8n workflows and rotate any that may have been exposed post-incident.

  6. NETWORK

    Place n8n behind a VPN or internal-only access policy; it should not be internet-exposed without strong authentication controls.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Data Extraction Agent Framework Plugin AML.T0012 AML.T0049 AML.T0050 AML.T0053 AML.T0072 AML.T0081 AML.T0083 AML.T0108

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2 - AI System Lifecycle — Development and Acquisition A.6.2.6 - AI system security and resilience A.9.4 - AI System Security
NIST AI RMF
GOVERN-1.7 - AI Risk Policies and Procedures MANAGE-2.2 - Risk Treatment
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities LLM06:2025 - Excessive Agency LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-25056?

If your organization uses n8n for AI agent orchestration or workflow automation, treat this as critical regardless of the CVSS 8.8 rating — any authenticated user with workflow edit permissions can write arbitrary files to the server filesystem and achieve RCE. Patch immediately to n8n 1.118.0 or 2.4.0; if patching is delayed, restrict workflow creation and modification permissions to a minimal set of trusted users and audit existing workflows for Merge node SQL Query usage.

Is CVE-2026-25056 actively exploited?

No confirmed active exploitation of CVE-2026-25056 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25056?

1. PATCH: Update n8n to version 1.118.0 (v1 branch) or 2.4.0 (v2 branch) immediately. 2. DETECT: Audit workflow logs and definitions for Merge nodes configured in SQL Query mode — query your n8n database for workflows containing this node type. 3. RESTRICT: Apply least-privilege to workflow creation and modification permissions; only trusted users should be able to create or modify workflows. 4. MONITOR: Alert on unexpected file creation events in the n8n server filesystem, particularly in web root directories, temp folders, or application directories. 5. INVENTORY: Enumerate all credentials and API keys stored in n8n workflows and rotate any that may have been exposed post-incident. 6. NETWORK: Place n8n behind a VPN or internal-only access policy; it should not be internet-exposed without strong authentication controls.

What systems are affected by CVE-2026-25056?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow automation, LLM tool integration platforms, RAG pipelines.

What is the CVSS score for CVE-2026-25056?

CVE-2026-25056 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.66%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI workflow automationLLM tool integration platformsRAG pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration
AML.T0108 AI Agent

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9, Article 15, Article 9
ISO 42001: A.6.2, A.6.2.6, A.9.4
NIST AI RMF: GOVERN-1.7, MANAGE-2.2
OWASP LLM Top 10: LLM03:2025, LLM06:2025, LLM07, LLM08

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server's filesystem potentially leading to remote code execution. This issue has been patched in versions 1.118.0 and 2.4.0.

Exploitation Scenario

An adversary with a low-privilege n8n account — obtained through phishing a developer, credential stuffing, or insider access — creates or modifies a workflow containing a Merge node configured in SQL Query mode. By crafting a malicious SQL query payload, they write a web shell or malicious script to a writable directory on the n8n server filesystem. If n8n is deployed with write access to a web-served directory, the shell becomes immediately accessible. In AI-specific contexts, the attacker can overwrite n8n workflow configuration files to inject malicious tool definitions into existing AI agent workflows, causing the agent to exfiltrate data or execute adversary-controlled commands every time a legitimate user triggers the workflow. This creates a persistent, stealthy compromise of the entire AI agent orchestration layer without requiring any further user interaction.

Weaknesses (CWE)

CWE-434 Unrestricted Upload of File with Dangerous Type Primary CWE-693 Protection Mechanism Failure Primary

CWE-434 — Unrestricted Upload of File with Dangerous Type: The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

  • [Architecture and Design] Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
  • [Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 4, 2026
Last Modified
February 5, 2026
First Seen
February 4, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed