CVE-2026-25049

CRITICAL

n8n <1.123.17, <2.5.2 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-25049. PoCs published by XiaomingX, 0xBlackash, otakuliu.

AI-analyzed exploit summary This repository demonstrates a JavaScript sandbox escape vulnerability (CVE-2026-25049) via destructuring and Reflect API bypasses. It includes functional PoC code and multiple sandbox versions to illustrate patch evasion techniques.

Description

n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2.

Exploits (3)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25049

View Code ZIP pw:eip

This repository demonstrates a JavaScript sandbox escape vulnerability (CVE-2026-25049) via destructuring and Reflect API bypasses. It includes functional PoC code and multiple sandbox versions to illustrate patch evasion techniques.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vm2 (Node.js sandbox)

No auth needed

Prerequisites: Node.js environment · vm2 library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WRITEUP

by 0xBlackash · poc

https://github.com/0xBlackash/CVE-2026-25049

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-25049, an unauthenticated information disclosure vulnerability in n8n. It includes affected versions, technical details, and mitigation steps but does not contain functional exploit code.

Classification

Writeup 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: n8n v1.123.5

No auth needed

Prerequisites: Access to the target n8n instance

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Apr 22, 2026 Full analysis →

nomisec WORKING POC

by otakuliu · poc

https://github.com/otakuliu/Expression-Sandbox-Escape-Simulation-Lab

View Code ZIP pw:eip

This repository demonstrates a JavaScript sandbox escape simulation lab, showcasing how different payloads (including CVE-2026-25049) can bypass sandbox restrictions through techniques like destructuring and Reflect API access. It includes multiple sandbox versions to illustrate the evolution of patches and bypasses.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vm2 (JavaScript sandbox)

No auth needed

Prerequisites: Node.js environment · vm2 library installed

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Vendor Advisory x_refsource_confirm

https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8

Patch x_refsource_misc

https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b

View Patch ZIP pw:eip

Scores

CVSS v3 9.9

EPSS 0.0005

EPSS Percentile 17.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-913

Status published

Products (2)

n8n/n8n < 1.123.17

npm/n8n 0 - 1.123.17npm

Published Feb 04, 2026

Tracked Since Feb 18, 2026