CVE-2026-25115 — CRITICAL (CVSS 9.9) AI Security Vulnerability

CISO Take

CVE-2026-25115 is a critical (CVSS 9.9) sandbox escape in n8n's Python Code node — any authenticated user can execute arbitrary code on the host OS. If your teams use n8n to orchestrate AI agents or LLM pipelines, patch to v2.4.8 immediately: every API key and secret stored in n8n workflows is exposed. Low complexity + network accessible = active exploitation is a matter of when, not if.

Risk Assessment

CRITICAL. Full scope impact: low-privilege network attacker, zero user interaction, changed scope (C:H/I:H/A:H). n8n is increasingly deployed as AI agent orchestration infrastructure with privileged access to LLM API keys (OpenAI, Anthropic), vector databases, and SaaS integrations. A single compromised instance can pivot to the entire AI stack. Cloud-hosted and multi-tenant n8n deployments face cross-tenant contamination risk, elevating exposure beyond single-org impact.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

9.9 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I High

A High

Recommended Action

1 step

1) PATCH: Upgrade to n8n v2.4.8 immediately — the only complete fix. 2) WORKAROUND (pre-patch): Disable Python Code nodes or restrict workflow editor access to trusted admins only via n8n RBAC. 3) ROTATE: After patching, rotate all credentials stored in n8n (LLM API keys, DB connections, SaaS integrations) — assume compromise if any untrusted users had Python node access. 4) DETECT: Monitor n8n worker process logs for unexpected subprocess spawning, outbound connections to unknown hosts, or file system access outside /home/node; alert on process tree anomalies from the n8n container/process. 5) ISOLATE: Run n8n in a hardened container with restricted network egress, read-only file system where possible, and no host-level capabilities. 6) AUDIT: Review workflow editor permissions — this exploit requires only authenticated access, not admin role.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Data Extraction Agent Framework Plugin AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0083 - Credentials from AI Agent Configuration AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.4 - AI system security controls A.6.2 - AI system design and development security A.9.3 - Vulnerability management for AI systems

NIST AI RMF

GOVERN 6.1 - Policies for AI supply chain and third-party risk MANAGE 2.2 - Mechanisms to sustain AI risk management

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM06 - Excessive Agency LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-25115?

CVE-2026-25115 is a critical (CVSS 9.9) sandbox escape in n8n's Python Code node — any authenticated user can execute arbitrary code on the host OS. If your teams use n8n to orchestrate AI agents or LLM pipelines, patch to v2.4.8 immediately: every API key and secret stored in n8n workflows is exposed. Low complexity + network accessible = active exploitation is a matter of when, not if.

Is CVE-2026-25115 actively exploited?

No confirmed active exploitation of CVE-2026-25115 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-25115?

1) PATCH: Upgrade to n8n v2.4.8 immediately — the only complete fix. 2) WORKAROUND (pre-patch): Disable Python Code nodes or restrict workflow editor access to trusted admins only via n8n RBAC. 3) ROTATE: After patching, rotate all credentials stored in n8n (LLM API keys, DB connections, SaaS integrations) — assume compromise if any untrusted users had Python node access. 4) DETECT: Monitor n8n worker process logs for unexpected subprocess spawning, outbound connections to unknown hosts, or file system access outside /home/node; alert on process tree anomalies from the n8n container/process. 5) ISOLATE: Run n8n in a hardened container with restricted network egress, read-only file system where possible, and no host-level capabilities. 6) AUDIT: Review workflow editor permissions — this exploit requires only authenticated access, not admin role.

What systems are affected by CVE-2026-25115?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration pipelines, RAG pipelines, automation pipelines, multi-agent systems.

What is the CVSS score for CVE-2026-25115?

CVE-2026-25115 has a CVSS v3.1 base score of 9.9 (CRITICAL). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to version 2.4.8, a vulnerability in the Python Code node allows authenticated users to break out of the Python sandbox environment and execute code outside the intended security boundary. This issue has been patched in version 2.4.8.

Exploitation Scenario

An attacker with a low-privilege n8n account (contractor, trial user on a shared instance, compromised employee) creates a workflow containing a Python Code node. They craft Python that exploits the sandbox escape to execute OS commands — reading /proc/self/environ, n8n's encrypted credential store, or mounted secret volumes to extract LLM API keys and database credentials. With OpenAI/Anthropic keys, they run unauthorized AI workloads at the victim's expense. With vector DB credentials, they exfiltrate the full RAG corpus. With workflow edit access, they inject persistent malicious logic into existing agent pipelines — silently poisoning AI outputs for every downstream user. Entire exploit chain: under 60 seconds from authenticated login, no admin rights required.