Summary
| Vulnerability Name | Remote Code Execution due to Expression Escape in n8n (CVE-2026-25049) |
| Released on | February 06, 2026 |
| Affected Component | n8n |
| Affected Version |
n8n < 1.123.17
2.0.0 ≤ n8n < 2.5.2
|
| Vulnerability Type | Code execution |
| Exploitation Condition |
1. User authentication: required.
2. Precondition: default configurations.
3. Trigger mode: remote.
|
| Impact | Exploitation difficulty: easy. Unauthorized attackers can exploit this vulnerability to execute arbitrary code. Severity: critical. |
| Official Solution | Available |
About the Vulnerability
Component Introduction
n8n is an open-source workflow automation platform that allows users to connect various applications, services, and APIs by dragging nodes on a visual interface. It enables users to construct complex automated processes without the need for extensive coding. The letter "n" in its name stands for "numerous", which indicates that n8n can connect countless tools for flexible integration.
Vulnerability Description
On February 06, 2026, Sangfor FarSight Labs received notification of the remote code execution vulnerability in n8n (CVE-2026-25049), classified as critical in threat level.
Specifically, n8n contains an expression escape vulnerability stemming from a defense gap in its JavaScript expression evaluation component. Attackers can bypass sandbox protection by combining arrow functions with the destructuring assignment syntax to obtain the function constructor, which may ultimately result in arbitrary code execution.
Affected Versions
The following n8n versions are affected:
n8n < 1.123.17
2.0.0 ≤ n8n < 2.5.2
Solutions
Remediation Solutions
Official Solutions
The latest versions have been officially released to fix the vulnerability. Affected users are advised to update n8n to the corresponding latest version as needed:
Download link: https://github.com/n8n-io/n8n/releases
Temporary Solutions
- Disable unused functional modules to reduce attack entry points.
- Follow the principle of least privilege to strictly control the scope of permissions for sensitive operations.
- Do not expose services to the Internet unless necessary, to limit the access sources to trusted ranges.
- Regularly update the system and components to secure versions so that known vulnerabilities can be patched at the earliest opportunity.
Sangfor Solutions
Proactive Vulnerability Detection
The following Sangfor service can proactively detect CVE-2026-25049 vulnerabilities and quickly identify vulnerability risks in batches in business scenarios:
- Athena Managed Detection and Response (MDR): The corresponding detection solution will be released on March 30, 2026. The rule ID is SF-2026-01004.
Timeline
On February 06, 2026, Sangfor FarSight Labs received notification of the remote code execution vulnerability due to expression escape in n8n (CVE-2026-25049).
On February 06, 2026, Sangfor FarSight Labs released a vulnerability alert.
Reference
https://github.com/advisories/GHSA-6cqr-8cfr-67f8
Learn More
Sangfor FarSight Labs researches the latest cyber threats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyber threats, providing fast and easy protection for customers.
