Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-25055 (GCVE-0-2026-25055)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:47 – Updated: 2026-02-05 14:33
VLAI?
EPSS
Title
n8n Arbitrary File Write on Remote Systems via SSH Node
Summary
n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/n8n-io/n8n/security/advisories… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T14:20:20.248981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T14:33:32.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n8n",
"vendor": "n8n-io",
"versions": [
{
"status": "affected",
"version": "\u003c 1.123.12"
},
{
"status": "affected",
"version": "\u003c 2.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:47:47.239Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9"
}
],
"source": {
"advisory": "GHSA-m82q-59gv-mcr9",
"discovery": "UNKNOWN"
},
"title": "n8n Arbitrary File Write on Remote Systems via SSH Node"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25055",
"datePublished": "2026-02-04T16:47:47.239Z",
"dateReserved": "2026-01-28T14:50:47.888Z",
"dateUpdated": "2026-02-05T14:33:32.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-25055",
"date": "2026-05-14",
"epss": "0.00168",
"percentile": "0.37553"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-25055\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-04T17:16:23.513\",\"lastModified\":\"2026-02-05T20:41:47.613\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"1.123.12\",\"matchCriteriaId\":\"80A5866A-294B-4650-98FA-EAF8A4E8BD88\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.4.0f\",\"matchCriteriaId\":\"51DB9894-8CFF-4098-BFBD-769C12893E95\"}]}]}],\"references\":[{\"url\":\"https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25055\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-05T14:20:20.248981Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-05T14:20:20.942Z\"}}], \"cna\": {\"title\": \"n8n Arbitrary File Write on Remote Systems via SSH Node\", \"source\": {\"advisory\": \"GHSA-m82q-59gv-mcr9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"n8n-io\", \"product\": \"n8n\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.123.12\"}, {\"status\": \"affected\", \"version\": \"\u003c 2.4.0\"}]}], \"references\": [{\"url\": \"https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9\", \"name\": \"https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-04T16:47:47.239Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-25055\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-05T14:33:32.501Z\", \"dateReserved\": \"2026-01-28T14:50:47.888Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-04T16:47:47.239Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
NCSC-2026-0049
Vulnerability from csaf_ncscnl - Published: 2026-02-09 10:39 - Updated: 2026-02-09 10:39Summary
Kwetsbaarheden verholpen in n8n
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: n8n heeft kwetsbaarheden verholpen in versies 1.114.3, 1.115.0, 1.123.17, 2.5.2, 1.122.5, 1.123.2, 1.123.18, 2.5.0, 1.123.10, 2.5.0, 2.2.1, 1.123.9, 1.123.12, 2.4.0, 1.118.0, 2.4.0, 2.4.8, en 1.120.3.
Interpretaties: De kwetsbaarheden omvatten onder andere het gebruik van `Buffer.allocUnsafe()` en `Buffer.allocUnsafeSlow()`, wat kan leiden tot informatie openbaarmaking. Daarnaast zijn er kwetsbaarheden in de expressie-evaluatiefuncties die geauthenticeerde gebruikers in staat stellen om ongewenste systeemcommando's uit te voeren. Er zijn ook Cross-site Scripting (XSS) kwetsbaarheden ontdekt in de webhook-responsverwerking en de markdown-renderingcomponent, die kunnen leiden tot sessieovername. Verder zijn er kwetsbaarheden in de bestandsaccesscontrols en de Git-node, die het mogelijk maken voor geauthenticeerde gebruikers om gevoelige bestanden te lezen en willekeurige commando's uit te voeren. Een andere kwetsbaarheid stelt ongeauthenticeerde aanvallers in staat om workflows te exploiteren die geüploade bestanden via SSH verwerken, wat kan leiden tot remote code execution. Bovendien is er een kwetsbaarheid in de Merge-node's SQL Query-modus, en in de Python Code-node die het mogelijk maakt om de sandbox-omgeving te ontsnappen. Tot slot is er een command injection-kwetsbaarheid in de community package installatie.
Oplossingen: n8n heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-20: Improper Input Validation
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-434: Unrestricted Upload of File with Dangerous Type
CWE-668: Exposure of Resource to Wrong Sphere
CWE-693: Protection Mechanism Failure
CWE-913: Improper Control of Dynamically-Managed Code Resources
n8n's task runner had a vulnerability allowing untrusted code to allocate uninitialized memory, which has been patched in versions 1.114.3 and 1.115.0 by ensuring zero-filled buffer allocations.
7.7 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
N8N / N8N
|
vers:unknown/* |
Recent updates in n8n versions 1.123.17 and 2.5.2 address a vulnerability allowing authenticated users to execute unintended system commands through expression evaluation exploits.
9.9 (Critical)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
N8N / N8N
|
vers:unknown/* |
A Cross-site Scripting (XSS) vulnerability in n8n's webhook response handling, affecting versions prior to 1.123.2, has been patched to prevent authenticated users from executing malicious scripts.
5.4 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
N8N / N8N
|
vers:unknown/* |
A vulnerability in n8n's file access controls allows authenticated users to read sensitive files, leading to potential account takeovers, but has been patched in versions 1.123.18 and 2.5.0.
9.9 (Critical)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
N8N / N8N
|
vers:unknown/* |
Vulnerabilities in the Git node of n8n, an open-source workflow automation platform, allowed authenticated users to execute arbitrary commands or read files, which have been addressed in versions 1.123.10 and 2.5.0.
9.9 (Critical)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
N8N / N8N
|
vers:unknown/* |
n8n's markdown rendering component had an XSS vulnerability allowing authenticated users to execute scripts, which has been patched in versions 2.2.1 and 1.123.9.
5.4 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
N8N / N8N
|
vers:unknown/* |
A vulnerability in n8n versions prior to 1.123.12 and 2.4.0 allows unauthenticated attackers to exploit workflows processing uploaded files via SSH, potentially leading to remote code execution.
8.1 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
N8N / N8N
|
vers:unknown/* |
A vulnerability in n8n's Merge node's SQL Query mode allowed authenticated users to write arbitrary files to the server, potentially enabling remote code execution, which has been addressed in versions 1.118.0 and 2.4.0.
8.8 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
N8N / N8N
|
vers:unknown/* |
A vulnerability in the Python Code node of n8n allowed authenticated users to escape the sandbox environment, but it has been patched in version 2.4.8.
9.9 (Critical)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
N8N / N8N
|
vers:unknown/* |
n8n's community package installation had a command injection vulnerability allowing administrative users to execute arbitrary commands, now patched in version 1.120.3 with no reported exploitation.
CWE-20 - Improper Input ValidationAffected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
N8N / N8N
|
vers:unknown/* |
References
20 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "n8n heeft kwetsbaarheden verholpen in versies 1.114.3, 1.115.0, 1.123.17, 2.5.2, 1.122.5, 1.123.2, 1.123.18, 2.5.0, 1.123.10, 2.5.0, 2.2.1, 1.123.9, 1.123.12, 2.4.0, 1.118.0, 2.4.0, 2.4.8, en 1.120.3.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden omvatten onder andere het gebruik van `Buffer.allocUnsafe()` en `Buffer.allocUnsafeSlow()`, wat kan leiden tot informatie openbaarmaking. Daarnaast zijn er kwetsbaarheden in de expressie-evaluatiefuncties die geauthenticeerde gebruikers in staat stellen om ongewenste systeemcommando\u0027s uit te voeren. Er zijn ook Cross-site Scripting (XSS) kwetsbaarheden ontdekt in de webhook-responsverwerking en de markdown-renderingcomponent, die kunnen leiden tot sessieovername. Verder zijn er kwetsbaarheden in de bestandsaccesscontrols en de Git-node, die het mogelijk maken voor geauthenticeerde gebruikers om gevoelige bestanden te lezen en willekeurige commando\u0027s uit te voeren. Een andere kwetsbaarheid stelt ongeauthenticeerde aanvallers in staat om workflows te exploiteren die ge\u00fcploade bestanden via SSH verwerken, wat kan leiden tot remote code execution. Bovendien is er een kwetsbaarheid in de Merge-node\u0027s SQL Query-modus, en in de Python Code-node die het mogelijk maakt om de sandbox-omgeving te ontsnappen. Tot slot is er een command injection-kwetsbaarheid in de community package installatie.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "n8n heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "general",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "general",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"title": "CWE-80"
},
{
"category": "general",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "general",
"text": "Time-of-check Time-of-use (TOCTOU) Race Condition",
"title": "CWE-367"
},
{
"category": "general",
"text": "Unrestricted Upload of File with Dangerous Type",
"title": "CWE-434"
},
{
"category": "general",
"text": "Exposure of Resource to Wrong Sphere",
"title": "CWE-668"
},
{
"category": "general",
"text": "Protection Mechanism Failure",
"title": "CWE-693"
},
{
"category": "general",
"text": "Improper Control of Dynamically-Managed Code Resources",
"title": "CWE-913"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://github.com/advisories/GHSA-49mx-fj45-q3p6"
},
{
"category": "external",
"summary": "Reference",
"url": "https://github.com/advisories/GHSA-6cqr-8cfr-67f8"
},
{
"category": "external",
"summary": "Reference",
"url": "https://github.com/advisories/GHSA-7c4h-vh2m-743m"
},
{
"category": "external",
"summary": "Reference",
"url": "https://github.com/advisories/GHSA-825q-w924-xhgx"
},
{
"category": "external",
"summary": "Reference",
"url": "https://github.com/advisories/GHSA-8398-gmmx-564h"
},
{
"category": "external",
"summary": "Reference",
"url": "https://github.com/advisories/GHSA-9g95-qf3f-ggrw"
},
{
"category": "external",
"summary": "Reference",
"url": "https://github.com/advisories/GHSA-gfvg-qv54-r4pc"
},
{
"category": "external",
"summary": "Reference",
"url": "https://github.com/advisories/GHSA-hv53-3329-vmrm"
},
{
"category": "external",
"summary": "Reference",
"url": "https://github.com/advisories/GHSA-m82q-59gv-mcr9"
},
{
"category": "external",
"summary": "Reference",
"url": "https://github.com/advisories/GHSA-qpq4-pw7f-pp8w"
}
],
"title": "Kwetsbaarheden verholpen in n8n",
"tracking": {
"current_release_date": "2026-02-09T10:39:40.792744Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2026-0049",
"initial_release_date": "2026-02-09T10:39:40.792744Z",
"revision_history": [
{
"date": "2026-02-09T10:39:40.792744Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "N8N"
}
],
"category": "vendor",
"name": "N8N"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61917",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "other",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "other",
"text": "Exposure of Resource to Wrong Sphere",
"title": "CWE-668"
},
{
"category": "description",
"text": "n8n\u0027s task runner had a vulnerability allowing untrusted code to allocate uninitialized memory, which has been patched in versions 1.114.3 and 1.115.0 by ensuring zero-filled buffer allocations.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-61917 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-61917.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-61917"
},
{
"cve": "CVE-2026-25049",
"cwe": {
"id": "CWE-913",
"name": "Improper Control of Dynamically-Managed Code Resources"
},
"notes": [
{
"category": "other",
"text": "Improper Control of Dynamically-Managed Code Resources",
"title": "CWE-913"
},
{
"category": "description",
"text": "Recent updates in n8n versions 1.123.17 and 2.5.2 address a vulnerability allowing authenticated users to execute unintended system commands through expression evaluation exploits.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-25049 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-25049.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-25049"
},
{
"cve": "CVE-2026-25051",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "A Cross-site Scripting (XSS) vulnerability in n8n\u0027s webhook response handling, affecting versions prior to 1.123.2, has been patched to prevent authenticated users from executing malicious scripts.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-25051 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-25051.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-25051"
},
{
"cve": "CVE-2026-25052",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"notes": [
{
"category": "other",
"text": "Time-of-check Time-of-use (TOCTOU) Race Condition",
"title": "CWE-367"
},
{
"category": "description",
"text": "A vulnerability in n8n\u0027s file access controls allows authenticated users to read sensitive files, leading to potential account takeovers, but has been patched in versions 1.123.18 and 2.5.0.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-25052 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-25052.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-25052"
},
{
"cve": "CVE-2026-25053",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "description",
"text": "Vulnerabilities in the Git node of n8n, an open-source workflow automation platform, allowed authenticated users to execute arbitrary commands or read files, which have been addressed in versions 1.123.10 and 2.5.0.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-25053 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-25053.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-25053"
},
{
"cve": "CVE-2026-25054",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "other",
"text": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"title": "CWE-80"
},
{
"category": "description",
"text": "n8n\u0027s markdown rendering component had an XSS vulnerability allowing authenticated users to execute scripts, which has been patched in versions 2.2.1 and 1.123.9.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-25054 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-25054.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-25054"
},
{
"cve": "CVE-2026-25055",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "description",
"text": "A vulnerability in n8n versions prior to 1.123.12 and 2.4.0 allows unauthenticated attackers to exploit workflows processing uploaded files via SSH, potentially leading to remote code execution.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-25055 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-25055.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-25055"
},
{
"cve": "CVE-2026-25056",
"cwe": {
"id": "CWE-434",
"name": "Unrestricted Upload of File with Dangerous Type"
},
"notes": [
{
"category": "other",
"text": "Unrestricted Upload of File with Dangerous Type",
"title": "CWE-434"
},
{
"category": "other",
"text": "Protection Mechanism Failure",
"title": "CWE-693"
},
{
"category": "description",
"text": "A vulnerability in n8n\u0027s Merge node\u0027s SQL Query mode allowed authenticated users to write arbitrary files to the server, potentially enabling remote code execution, which has been addressed in versions 1.118.0 and 2.4.0.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-25056 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-25056.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-25056"
},
{
"cve": "CVE-2026-25115",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"notes": [
{
"category": "other",
"text": "Protection Mechanism Failure",
"title": "CWE-693"
},
{
"category": "description",
"text": "A vulnerability in the Python Code node of n8n allowed authenticated users to escape the sandbox environment, but it has been patched in version 2.4.8.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-25115 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-25115.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-25115"
},
{
"cve": "CVE-2026-21893",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "description",
"text": "n8n\u0027s community package installation had a command injection vulnerability allowing administrative users to execute arbitrary commands, now patched in version 1.120.3 with no reported exploitation.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-21893 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21893.json"
}
],
"title": "CVE-2026-21893"
}
]
}
FKIE_CVE-2026-25055
Vulnerability from fkie_nvd - Published: 2026-02-04 17:16 - Updated: 2026-02-05 20:41
Severity ?
Summary
n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9 | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "80A5866A-294B-4650-98FA-EAF8A4E8BD88",
"versionEndExcluding": "1.123.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "51DB9894-8CFF-4098-BFBD-769C12893E95",
"versionEndExcluding": "2.4.0f",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0."
},
{
"lang": "es",
"value": "n8n es una plataforma de automatizaci\u00f3n de flujos de trabajo de c\u00f3digo abierto. Antes de las versiones 1.123.12 y 2.4.0, cuando los flujos de trabajo procesan archivos cargados y los transfieren a servidores remotos a trav\u00e9s del nodo SSH sin validar sus metadatos, la vulnerabilidad puede llevar a que los archivos se escriban en ubicaciones no deseadas en esos sistemas remotos, lo que podr\u00eda llevar a la ejecuci\u00f3n remota de c\u00f3digo en esos sistemas. Como prerrequisito, un atacante no autenticado necesita conocimiento de la existencia de dichos flujos de trabajo y los puntos finales para la carga de archivos deben estar no autenticados. Este problema ha sido parcheado en las versiones 1.123.12 y 2.4.0."
}
],
"id": "CVE-2026-25055",
"lastModified": "2026-02-05T20:41:47.613",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-02-04T17:16:23.513",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
WID-SEC-W-2026-0318
Vulnerability from csaf_certbund - Published: 2026-02-04 23:00 - Updated: 2026-03-26 23:00Summary
n8n: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: n8n ist ein Workflow-Automatisierungstool, mit dem verschiedene Anwendungen und Dienste miteinander verbunden werden können, um Aufgaben zu automatisieren.
Angriff: Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in n8n ausnutzen, um beliebigen Code auszuführen, sich erhöhte Berechtigungen zu verschaffen, Cross-Site-Scripting-Angriffe durchzuführen und vertrauliche Informationen offenzulegen. Über einige dieser Schwachstellen sind weitere Angriffe möglich, wie beispielsweise die Übernahme von Konten, das Hijacking von Sitzungen und die vollständige Kompromittierung des Systems.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
- Windows
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
n8n n8n <1.114.3
n8n / n8n
|
<1.114.3 |
Affected products
Known affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
n8n n8n <1.114.3
n8n / n8n
|
<1.114.3 | ||
|
n8n n8n <1.123.17
n8n / n8n
|
<1.123.17 | ||
|
n8n n8n <1.118.0
n8n / n8n
|
<1.118.0 | ||
|
n8n n8n <2.4.0
n8n / n8n
|
<2.4.0 | ||
|
n8n n8n <1.123.2
n8n / n8n
|
<1.123.2 | ||
|
n8n n8n <2.5.2
n8n / n8n
|
<2.5.2 | ||
|
n8n n8n <1.123.10
n8n / n8n
|
<1.123.10 | ||
|
n8n n8n <2.5.0
n8n / n8n
|
<2.5.0 | ||
|
n8n n8n <1.123.12
n8n / n8n
|
<1.123.12 | ||
|
n8n n8n <1.120.3
n8n / n8n
|
<1.120.3 | ||
|
n8n n8n <1.123.9
n8n / n8n
|
<1.123.9 | ||
|
n8n n8n <2.4.8
n8n / n8n
|
<2.4.8 | ||
|
n8n n8n <2.2.1
n8n / n8n
|
<2.2.1 |
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
n8n n8n <1.120.3
n8n / n8n
|
<1.120.3 | ||
|
n8n n8n <1.114.3
n8n / n8n
|
<1.114.3 | ||
|
n8n n8n <1.118.0
n8n / n8n
|
<1.118.0 | ||
|
n8n n8n <1.123.2
n8n / n8n
|
<1.123.2 |
Affected products
Known affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
n8n n8n <1.114.3
n8n / n8n
|
<1.114.3 | ||
|
n8n n8n <1.123.17
n8n / n8n
|
<1.123.17 | ||
|
n8n n8n <1.118.0
n8n / n8n
|
<1.118.0 | ||
|
n8n n8n <2.4.0
n8n / n8n
|
<2.4.0 | ||
|
n8n n8n <1.123.2
n8n / n8n
|
<1.123.2 | ||
|
n8n n8n <1.123.10
n8n / n8n
|
<1.123.10 | ||
|
n8n n8n <2.5.0
n8n / n8n
|
<2.5.0 | ||
|
n8n n8n <1.123.18
n8n / n8n
|
<1.123.18 | ||
|
n8n n8n <1.123.12
n8n / n8n
|
<1.123.12 | ||
|
n8n n8n <1.120.3
n8n / n8n
|
<1.120.3 | ||
|
n8n n8n <1.123.9
n8n / n8n
|
<1.123.9 | ||
|
n8n n8n <2.4.8
n8n / n8n
|
<2.4.8 | ||
|
n8n n8n <2.2.1
n8n / n8n
|
<2.2.1 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
n8n n8n <2.5.0
n8n / n8n
|
<2.5.0 | ||
|
n8n n8n <1.120.3
n8n / n8n
|
<1.120.3 | ||
|
n8n n8n <1.123.9
n8n / n8n
|
<1.123.9 | ||
|
n8n n8n <2.4.8
n8n / n8n
|
<2.4.8 | ||
|
n8n n8n <2.2.1
n8n / n8n
|
<2.2.1 | ||
|
n8n n8n <1.114.3
n8n / n8n
|
<1.114.3 | ||
|
n8n n8n <1.118.0
n8n / n8n
|
<1.118.0 | ||
|
n8n n8n <2.4.0
n8n / n8n
|
<2.4.0 | ||
|
n8n n8n <1.123.2
n8n / n8n
|
<1.123.2 | ||
|
n8n n8n <1.123.10
n8n / n8n
|
<1.123.10 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
n8n n8n <1.120.3
n8n / n8n
|
<1.120.3 | ||
|
n8n n8n <1.123.9
n8n / n8n
|
<1.123.9 | ||
|
n8n n8n <2.2.1
n8n / n8n
|
<2.2.1 | ||
|
n8n n8n <1.114.3
n8n / n8n
|
<1.114.3 | ||
|
n8n n8n <1.118.0
n8n / n8n
|
<1.118.0 | ||
|
n8n n8n <1.123.2
n8n / n8n
|
<1.123.2 |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
n8n n8n <1.123.12
n8n / n8n
|
<1.123.12 | ||
|
n8n n8n <1.120.3
n8n / n8n
|
<1.120.3 | ||
|
n8n n8n <1.123.9
n8n / n8n
|
<1.123.9 | ||
|
n8n n8n <2.2.1
n8n / n8n
|
<2.2.1 | ||
|
n8n n8n <1.114.3
n8n / n8n
|
<1.114.3 | ||
|
n8n n8n <1.118.0
n8n / n8n
|
<1.118.0 | ||
|
n8n n8n <2.4.0
n8n / n8n
|
<2.4.0 | ||
|
n8n n8n <1.123.2
n8n / n8n
|
<1.123.2 |
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
n8n n8n <2.2.1
n8n / n8n
|
<2.2.1 | ||
|
n8n n8n <1.114.3
n8n / n8n
|
<1.114.3 | ||
|
n8n n8n <1.118.0
n8n / n8n
|
<1.118.0 | ||
|
n8n n8n <2.4.0
n8n / n8n
|
<2.4.0 |
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
n8n n8n <2.2.1
n8n / n8n
|
<2.2.1 | ||
|
n8n n8n <2.4.8
n8n / n8n
|
<2.4.8 |
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
n8n n8n <1.120.3
n8n / n8n
|
<1.120.3 | ||
|
n8n n8n <1.114.3
n8n / n8n
|
<1.114.3 | ||
|
n8n n8n <1.118.0
n8n / n8n
|
<1.118.0 |
References
13 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "n8n ist ein Workflow-Automatisierungstool, mit dem verschiedene Anwendungen und Dienste miteinander verbunden werden k\u00f6nnen, um Aufgaben zu automatisieren.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in n8n ausnutzen, um beliebigen Code auszuf\u00fchren, sich erh\u00f6hte Berechtigungen zu verschaffen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren und vertrauliche Informationen offenzulegen. \u00dcber einige dieser Schwachstellen sind weitere Angriffe m\u00f6glich, wie beispielsweise die \u00dcbernahme von Konten, das Hijacking von Sitzungen und die vollst\u00e4ndige Kompromittierung des Systems.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0318 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0318.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0318 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0318"
},
{
"category": "external",
"summary": "n8n GitHub vom 2026-02-04",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8"
},
{
"category": "external",
"summary": "n8n GitHub vom 2026-02-04",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m"
},
{
"category": "external",
"summary": "n8n GitHub vom 2026-02-04",
"url": "https://github.com/advisories/GHSA-49mx-fj45-q3p6"
},
{
"category": "external",
"summary": "n8n GitHub vom 2026-02-04",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-8398-gmmx-564h"
},
{
"category": "external",
"summary": "n8n GitHub vom 2026-02-04",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm"
},
{
"category": "external",
"summary": "n8n GitHub vom 2026-02-04",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9"
},
{
"category": "external",
"summary": "n8n GitHub vom 2026-02-04",
"url": "https://github.com/advisories/GHSA-qpq4-pw7f-pp8w"
},
{
"category": "external",
"summary": "n8n GitHub vom 2026-02-04",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-9g95-qf3f-ggrw"
},
{
"category": "external",
"summary": "n8n GitHub vom 2026-02-04",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc"
},
{
"category": "external",
"summary": "n8n GitHub vom 2026-02-04",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-825q-w924-xhgx"
},
{
"category": "external",
"summary": "PoC CVE-2026-25049 vom 2026-02-04",
"url": "https://www.pillar.security/blog/n8n-sandbox-escape-critical-vulnerabilities-in-n8n-exposes-hundreds-of-thousands-of-enterprise-ai-systems-to-complete-takeover"
}
],
"source_lang": "en-US",
"title": "n8n: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-03-26T23:00:00.000+00:00",
"generator": {
"date": "2026-03-27T09:11:16.781+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0318",
"initial_release_date": "2026-02-04T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-02-04T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-02-05T23:00:00.000+00:00",
"number": "2",
"summary": "doppelte Eintragung bereinigt"
},
{
"date": "2026-03-26T23:00:00.000+00:00",
"number": "3",
"summary": "Referenz(en) aufgenommen: EUVD-2026-16177"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2.4.8",
"product": {
"name": "n8n n8n \u003c2.4.8",
"product_id": "T050537"
}
},
{
"category": "product_version",
"name": "2.4.8",
"product": {
"name": "n8n n8n 2.4.8",
"product_id": "T050537-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:n8n:n8n:2.4.8"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.120.3",
"product": {
"name": "n8n n8n \u003c1.120.3",
"product_id": "T050538"
}
},
{
"category": "product_version",
"name": "1.120.3",
"product": {
"name": "n8n n8n 1.120.3",
"product_id": "T050538-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:n8n:n8n:1.120.3"
}
}
},
{
"category": "product_version_range",
"name": "\u003c2.5.0",
"product": {
"name": "n8n n8n \u003c2.5.0",
"product_id": "T050539"
}
},
{
"category": "product_version",
"name": "2.5.0",
"product": {
"name": "n8n n8n 2.5.0",
"product_id": "T050539-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:n8n:n8n:2.5.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.123.10",
"product": {
"name": "n8n n8n \u003c1.123.10",
"product_id": "T050540"
}
},
{
"category": "product_version",
"name": "1.123.10",
"product": {
"name": "n8n n8n 1.123.10",
"product_id": "T050540-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:n8n:n8n:1.123.10"
}
}
},
{
"category": "product_version_range",
"name": "\u003c2.5.2",
"product": {
"name": "n8n n8n \u003c2.5.2",
"product_id": "T050541"
}
},
{
"category": "product_version",
"name": "2.5.2",
"product": {
"name": "n8n n8n 2.5.2",
"product_id": "T050541-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:n8n:n8n:2.5.2"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.123.17",
"product": {
"name": "n8n n8n \u003c1.123.17",
"product_id": "T050542"
}
},
{
"category": "product_version",
"name": "1.123.17",
"product": {
"name": "n8n n8n 1.123.17",
"product_id": "T050542-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:n8n:n8n:1.123.17"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.114.3",
"product": {
"name": "n8n n8n \u003c1.114.3",
"product_id": "T050543"
}
},
{
"category": "product_version",
"name": "1.114.3",
"product": {
"name": "n8n n8n 1.114.3",
"product_id": "T050543-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:n8n:n8n:1.114.3"
}
}
},
{
"category": "product_version_range",
"name": "\u003c2.4.0",
"product": {
"name": "n8n n8n \u003c2.4.0",
"product_id": "T050544"
}
},
{
"category": "product_version",
"name": "2.4.0",
"product": {
"name": "n8n n8n 2.4.0",
"product_id": "T050544-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:n8n:n8n:2.4.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.118.0",
"product": {
"name": "n8n n8n \u003c1.118.0",
"product_id": "T050545"
}
},
{
"category": "product_version",
"name": "1.118.0",
"product": {
"name": "n8n n8n 1.118.0",
"product_id": "T050545-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:n8n:n8n:1.118.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.123.12",
"product": {
"name": "n8n n8n \u003c1.123.12",
"product_id": "T050546"
}
},
{
"category": "product_version",
"name": "1.123.12",
"product": {
"name": "n8n n8n 1.123.12",
"product_id": "T050546-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:n8n:n8n:1.123.12"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.123.18",
"product": {
"name": "n8n n8n \u003c1.123.18",
"product_id": "T050547"
}
},
{
"category": "product_version",
"name": "1.123.18",
"product": {
"name": "n8n n8n 1.123.18",
"product_id": "T050547-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:n8n:n8n:1.123.18"
}
}
},
{
"category": "product_version_range",
"name": "\u003c2.2.1",
"product": {
"name": "n8n n8n \u003c2.2.1",
"product_id": "T050548"
}
},
{
"category": "product_version",
"name": "2.2.1",
"product": {
"name": "n8n n8n 2.2.1",
"product_id": "T050548-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:n8n:n8n:2.2.1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.123.9",
"product": {
"name": "n8n n8n \u003c1.123.9",
"product_id": "T050549"
}
},
{
"category": "product_version",
"name": "1.123.9",
"product": {
"name": "n8n n8n 1.123.9",
"product_id": "T050549-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:n8n:n8n:1.123.9"
}
}
},
{
"category": "product_version_range",
"name": "\u003c1.123.2",
"product": {
"name": "n8n n8n \u003c1.123.2",
"product_id": "T050550"
}
},
{
"category": "product_version",
"name": "1.123.2",
"product": {
"name": "n8n n8n 1.123.2",
"product_id": "T050550-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:n8n:n8n:1.123.2"
}
}
}
],
"category": "product_name",
"name": "n8n"
}
],
"category": "vendor",
"name": "n8n"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61917",
"product_status": {
"known_affected": [
"T050543"
]
},
"release_date": "2026-02-04T23:00:00.000+00:00",
"title": "CVE-2025-61917"
},
{
"cve": "CVE-2026-25049",
"product_status": {
"known_affected": [
"T050543",
"T050542",
"T050545",
"T050544",
"T050550",
"T050541",
"T050540",
"T050539",
"T050546",
"T050538",
"T050549",
"T050537",
"T050548"
]
},
"release_date": "2026-02-04T23:00:00.000+00:00",
"title": "CVE-2026-25049"
},
{
"cve": "CVE-2026-25051",
"product_status": {
"known_affected": [
"T050538",
"T050543",
"T050545",
"T050550"
]
},
"release_date": "2026-02-04T23:00:00.000+00:00",
"title": "CVE-2026-25051"
},
{
"cve": "CVE-2026-25052",
"product_status": {
"known_affected": [
"T050543",
"T050542",
"T050545",
"T050544",
"T050550",
"T050540",
"T050539",
"T050547",
"T050546",
"T050538",
"T050549",
"T050537",
"T050548"
]
},
"release_date": "2026-02-04T23:00:00.000+00:00",
"title": "CVE-2026-25052"
},
{
"cve": "CVE-2026-25053",
"product_status": {
"known_affected": [
"T050539",
"T050538",
"T050549",
"T050537",
"T050548",
"T050543",
"T050545",
"T050544",
"T050550",
"T050540"
]
},
"release_date": "2026-02-04T23:00:00.000+00:00",
"title": "CVE-2026-25053"
},
{
"cve": "CVE-2026-25054",
"product_status": {
"known_affected": [
"T050538",
"T050549",
"T050548",
"T050543",
"T050545",
"T050550"
]
},
"release_date": "2026-02-04T23:00:00.000+00:00",
"title": "CVE-2026-25054"
},
{
"cve": "CVE-2026-25055",
"product_status": {
"known_affected": [
"T050546",
"T050538",
"T050549",
"T050548",
"T050543",
"T050545",
"T050544",
"T050550"
]
},
"release_date": "2026-02-04T23:00:00.000+00:00",
"title": "CVE-2026-25055"
},
{
"cve": "CVE-2026-25056",
"product_status": {
"known_affected": [
"T050548",
"T050543",
"T050545",
"T050544"
]
},
"release_date": "2026-02-04T23:00:00.000+00:00",
"title": "CVE-2026-25056"
},
{
"cve": "CVE-2026-25115",
"product_status": {
"known_affected": [
"T050548",
"T050537"
]
},
"release_date": "2026-02-04T23:00:00.000+00:00",
"title": "CVE-2026-25115"
},
{
"cve": "CVE-2026-21893",
"product_status": {
"known_affected": [
"T050538",
"T050543",
"T050545"
]
},
"release_date": "2026-02-04T23:00:00.000+00:00",
"title": "CVE-2026-21893"
}
]
}
GHSA-M82Q-59GV-MCR9
Vulnerability from github – Published: 2026-02-04 19:36 – Updated: 2026-02-04 19:36
VLAI?
Summary
n8n Vulnerable to Arbitrary File Write on Remote Systems via SSH Node
Details
Impact
When workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems.
As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated.
Patches
The issue has been fixed in n8n version 2.4.0 and 1.123.12. Users should upgrade to this version or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Disable or restrict access to workflows that accept file uploads via webhooks and transfer them via SSH. - Enable webhook authentication on all endpoints that handle file uploads. - Review usage of SSH credentials and consider rotating SSH credentials if in doubt. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Resources
- n8n Documentation — Blocking nodes — how to globally disable specific nodes
n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.123.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25055"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-04T19:36:29Z",
"nvd_published_at": "2026-02-04T17:16:23Z",
"severity": "HIGH"
},
"details": "## Impact\nWhen workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems.\n\nAs a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated.\n\n## Patches\nThe issue has been fixed in n8n version 2.4.0 and 1.123.12. Users should upgrade to this version or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Disable or restrict access to workflows that accept file uploads via webhooks and transfer them via SSH.\n- Enable webhook authentication on all endpoints that handle file uploads.\n- Review usage of SSH credentials and consider rotating SSH credentials if in doubt.\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.\n\n## Resources\n- [n8n Documentation \u2014 Blocking nodes](https://docs.n8n.io/hosting/securing/blocking-nodes/)\u00a0\u2014 how to globally disable specific nodes\n\n---\n\nn8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"id": "GHSA-m82q-59gv-mcr9",
"modified": "2026-02-04T19:36:29Z",
"published": "2026-02-04T19:36:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25055"
},
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/commit/528ad6b982d0519ec170e172f57b7fdbbe175230"
},
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/commit/e0baf48c6a54808f6dbca8cb352bfa306092c223"
},
{
"type": "PACKAGE",
"url": "https://github.com/n8n-io/n8n"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "n8n Vulnerable to Arbitrary File Write on Remote Systems via SSH Node"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…