Critical n8n Flaws Disclosed Along with Public Exploits
Summary:
Researchers at Pillar Security recently disclosed two maximum-severity sandbox escape vulnerabilities tracked as CVE-2026-25049 in n8n, a leading open-source workflow automation platform.
The vulnerabilities, which carry a perfect CVSS score of 10.0, stem from flaws in how n8n’s sandbox sanitizes JavaScript expressions. By using specifically crafted expressions, such as those involving template literals or unsanitized function arguments, an authenticated user can bypass security boundaries to execute arbitrary code on the host server. This "escape" allows attackers to break out of the restricted environment intended for workflow execution and gain the same privileges as the n8n process itself.
Security Officer Comments:
The impact of these vulnerabilities is critical because n8n often serves as a backbone for enterprise AI and cloud infrastructure. A successful exploit grants an attacker complete takeover of the server, providing immediate access to all environment variables and stored credentials. This includes high-value secrets such as API keys for OpenAI and Anthropic, AWS/cloud provider credentials, database passwords, and OAuth tokens.
In AI-heavy environments, attackers can intercept or modify AI prompts and responses in real-time, effectively poisoning the "agentic" workflows that organizations rely on for automated decision-making.
Additionally, on n8n Cloud, the flaw poses a multi-tenant risk where a single compromised user could potentially access shared infrastructure or the data of other customers within the same cluster.
Potential MSP Impact:
MSPs often use n8n to manage automation for dozens or hundreds of clients, either through a centralized multi-tenant instance or by hosting individual instances for each customer. A single compromised account or one malicious client could potentially "hop" the sandbox to access the underlying infrastructure, environment variables, and, most critically, the N8N_ENCRYPTION_KEY used to protect credentials across the entire platform.
Multi-Tenant Collapse: In shared environments (like n8n Cloud or MSP-hosted Kubernetes clusters), these vulnerabilities allow for lateral movement. An attacker who gains a foothold in one tenant's workflow can potentially explore internal services and access data belonging to other customers on the same host.
Systemic Credential Theft: MSPs typically store high-privilege credentials in n8n to manage client AWS accounts, Azure tenants, Salesforce instances, and AI API keys (OpenAI/Anthropic). A sandbox escape grants access to the SQLite database containing these secrets. Once the encryption key is stolen from the environment variables, the attacker can decrypt the entire "gold mine" of client credentials.
Supply Chain Poisoning: Attackers can quietly modify existing workflows (e.g., adding a hidden node that CCs data to an external server) or distribute malicious "workflow templates." If an MSP uses a standard library of workflows for its clients, a single injection could poison the automation of every client using that template.
Invisible Persistence: Because the workflows continue to run normally even after an exploit, an attacker can maintain long-term, quiet persistence. For an MSP, this could lead to months of undetected data exfiltration from multiple client pipelines.
Suggested Corrections:
To mitigate these risks, users must immediately upgrade their n8n instances to version 2.4.0 or later, which contains the necessary patches for both the initial vulnerability and the subsequent bypass discovered by researchers.
Beyond updating the software, it is strongly recommended that administrators rotate the n8n encryption key and all stored credentials (API keys, service account secrets, etc.), as any existing instance should be considered potentially compromised if it was exposed while running a vulnerable version.
Organizations should also audit their workflow execution logs for suspicious JavaScript expressions or unexpected outbound connections and monitor AI pipelines for "prompt poisoning" or unauthorized changes to base URLs and endpoints.
Link(s):
http://www.pillar.security/blog/n8n...of-enterprise-ai-systems-to-complete-takeover
Researchers at Pillar Security recently disclosed two maximum-severity sandbox escape vulnerabilities tracked as CVE-2026-25049 in n8n, a leading open-source workflow automation platform.
The vulnerabilities, which carry a perfect CVSS score of 10.0, stem from flaws in how n8n’s sandbox sanitizes JavaScript expressions. By using specifically crafted expressions, such as those involving template literals or unsanitized function arguments, an authenticated user can bypass security boundaries to execute arbitrary code on the host server. This "escape" allows attackers to break out of the restricted environment intended for workflow execution and gain the same privileges as the n8n process itself.
Security Officer Comments:
The impact of these vulnerabilities is critical because n8n often serves as a backbone for enterprise AI and cloud infrastructure. A successful exploit grants an attacker complete takeover of the server, providing immediate access to all environment variables and stored credentials. This includes high-value secrets such as API keys for OpenAI and Anthropic, AWS/cloud provider credentials, database passwords, and OAuth tokens.
In AI-heavy environments, attackers can intercept or modify AI prompts and responses in real-time, effectively poisoning the "agentic" workflows that organizations rely on for automated decision-making.
Additionally, on n8n Cloud, the flaw poses a multi-tenant risk where a single compromised user could potentially access shared infrastructure or the data of other customers within the same cluster.
Potential MSP Impact:
MSPs often use n8n to manage automation for dozens or hundreds of clients, either through a centralized multi-tenant instance or by hosting individual instances for each customer. A single compromised account or one malicious client could potentially "hop" the sandbox to access the underlying infrastructure, environment variables, and, most critically, the N8N_ENCRYPTION_KEY used to protect credentials across the entire platform.
Multi-Tenant Collapse: In shared environments (like n8n Cloud or MSP-hosted Kubernetes clusters), these vulnerabilities allow for lateral movement. An attacker who gains a foothold in one tenant's workflow can potentially explore internal services and access data belonging to other customers on the same host.
Systemic Credential Theft: MSPs typically store high-privilege credentials in n8n to manage client AWS accounts, Azure tenants, Salesforce instances, and AI API keys (OpenAI/Anthropic). A sandbox escape grants access to the SQLite database containing these secrets. Once the encryption key is stolen from the environment variables, the attacker can decrypt the entire "gold mine" of client credentials.
Supply Chain Poisoning: Attackers can quietly modify existing workflows (e.g., adding a hidden node that CCs data to an external server) or distribute malicious "workflow templates." If an MSP uses a standard library of workflows for its clients, a single injection could poison the automation of every client using that template.
Invisible Persistence: Because the workflows continue to run normally even after an exploit, an attacker can maintain long-term, quiet persistence. For an MSP, this could lead to months of undetected data exfiltration from multiple client pipelines.
Suggested Corrections:
To mitigate these risks, users must immediately upgrade their n8n instances to version 2.4.0 or later, which contains the necessary patches for both the initial vulnerability and the subsequent bypass discovered by researchers.
Beyond updating the software, it is strongly recommended that administrators rotate the n8n encryption key and all stored credentials (API keys, service account secrets, etc.), as any existing instance should be considered potentially compromised if it was exposed while running a vulnerable version.
Organizations should also audit their workflow execution logs for suspicious JavaScript expressions or unexpected outbound connections and monitor AI pipelines for "prompt poisoning" or unauthorized changes to base URLs and endpoints.
Link(s):
http://www.pillar.security/blog/n8n...of-enterprise-ai-systems-to-complete-takeover