CVE-2026-25115

CRITICAL

Published February 4, 2026

CISO Take

CVE-2026-25115 is a critical (CVSS 9.9) sandbox escape in n8n's Python Code node — any authenticated user can execute arbitrary code on the host OS. If your teams use n8n to orchestrate AI agents or LLM pipelines, patch to v2.4.8 immediately: every API key and secret stored in n8n workflows is exposed. Low complexity + network accessible = active exploitation is a matter of when, not if.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

9.9 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1) PATCH: Upgrade to n8n v2.4.8 immediately — the only complete fix. 2) WORKAROUND (pre-patch): Disable Python Code nodes or restrict workflow editor access to trusted admins only via n8n RBAC. 3) ROTATE: After patching, rotate all credentials stored in n8n (LLM API keys, DB connections, SaaS integrations) — assume compromise if any untrusted users had Python node access. 4) DETECT: Monitor n8n worker process logs for unexpected subprocess spawning, outbound connections to unknown hosts, or file system access outside /home/node; alert on process tree anomalies from the n8n container/process. 5) ISOLATE: Run n8n in a hardened container with restricted network egress, read-only file system where possible, and no host-level capabilities. 6) AUDIT: Review workflow editor permissions — this exploit requires only authenticated access, not admin role.

Classification

Code Execution Auth Bypass Data Extraction Agent Framework Plugin AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0083 - Credentials from AI Agent Configuration AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.4 - AI system security controls A.6.2 - AI system design and development security A.9.3 - Vulnerability management for AI systems

NIST AI RMF

GOVERN 6.1 - Policies for AI supply chain and third-party risk MANAGE 2.2 - Mechanisms to sustain AI risk management

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM06 - Excessive Agency LLM06:2025 - Excessive Agency

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to version 2.4.8, a vulnerability in the Python Code node allows authenticated users to break out of the Python sandbox environment and execute code outside the intended security boundary. This issue has been patched in version 2.4.8.

Exploitation Scenario

An attacker with a low-privilege n8n account (contractor, trial user on a shared instance, compromised employee) creates a workflow containing a Python Code node. They craft Python that exploits the sandbox escape to execute OS commands — reading /proc/self/environ, n8n's encrypted credential store, or mounted secret volumes to extract LLM API keys and database credentials. With OpenAI/Anthropic keys, they run unauthorized AI workloads at the victim's expense. With vector DB credentials, they exfiltrate the full RAG corpus. With workflow edit access, they inject persistent malicious logic into existing agent pipelines — silently poisoning AI outputs for every downstream user. Entire exploit chain: under 60 seconds from authenticated login, no admin rights required.

Weaknesses (CWE)

CWE-693 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

github.com/n8n-io/n8n/security/advisories/GHSA-8398-gmmx-564h
Vendor

Timeline

Published

February 4, 2026

Last Modified

February 5, 2026

First Seen

February 4, 2026

Back to Threat Feed