Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71380

CVE-2025-71380: n8n Execute Command Node RCE Vulnerability

CVE-2025-71380 is a remote code execution vulnerability in n8n's Execute Command node that allows authenticated attackers to run arbitrary commands on the host system. This article covers the technical details, impact, and mitigation.

Published:

CVE-2025-71380 Overview

CVE-2025-71380 is a command execution vulnerability in n8n, an open-source workflow automation platform. The Execute Command node permits authenticated users to run arbitrary operating system commands on the host where n8n executes. Attackers who obtain valid user credentials or compromise an existing account can abuse this node to execute malicious commands with the privileges of the n8n process. Successful exploitation can lead to data exfiltration, service disruption, lateral movement, or full host compromise. The weakness is tracked under CWE-284 (Improper Access Control).

Critical Impact

Authenticated attackers can execute arbitrary OS commands on the n8n host, resulting in confidentiality, integrity, and availability loss.

Affected Products

  • n8n workflow automation platform (Execute Command node)
  • Self-hosted n8n deployments where the Execute Command node is enabled
  • n8n instances with multiple user accounts or exposed authentication surfaces

Discovery Timeline

  • 2026-07-04 - CVE-2025-71380 published to NVD
  • 2026-07-06 - Last updated in NVD database

Technical Details for CVE-2025-71380

Vulnerability Analysis

n8n exposes an Execute Command node that lets workflow authors run shell commands on the host operating system. The node is designed for administrative automation tasks such as invoking scripts or system utilities. However, access to the node is not gated by a privilege boundary beyond standard authentication. Any authenticated user who can create or modify workflows can instruct n8n to execute arbitrary commands under the user account running the n8n process.

Because n8n often runs with elevated privileges or inside containers with access to sensitive tokens, an attacker gains a direct path from application-level access to operating system control. The commands run in the same execution context as n8n itself, inheriting environment variables, mounted secrets, and network reachability.

Root Cause

The root cause is improper access control ([CWE-284]). The Execute Command node does not enforce a separate authorization tier for command execution capabilities. Standard authenticated users inherit the ability to invoke shell commands, violating the principle of least privilege. Credential theft, weak passwords, or an insider account are sufficient preconditions for exploitation.

Attack Vector

Exploitation is network-based and requires low privileges. An attacker authenticates to the n8n UI or API, creates or edits a workflow, adds an Execute Command node, and supplies a command payload. When the workflow runs, n8n executes the supplied command on the host. No user interaction beyond the attacker's own actions is required. Refer to the GitHub Security Advisory GHSA-365g-vjw2-grx8 and the VulnCheck advisory on n8n command execution for further technical detail.

Detection Methods for CVE-2025-71380

Indicators of Compromise

  • Unexpected child processes spawned by the n8n Node.js process, especially shells such as sh, bash, cmd.exe, or powershell.exe
  • New or modified workflows containing Execute Command nodes with references to sensitive paths, credentials, or outbound network utilities like curl, wget, or nc
  • Outbound connections from the n8n host to unfamiliar external endpoints shortly after workflow executions

Detection Strategies

  • Enable and review n8n audit logs for workflow creation, edits, and executions that include the Execute Command node
  • Monitor process ancestry on the host to identify shell commands whose parent is the n8n runtime
  • Alert on file system changes to /etc, SSH keys, or credential stores originating from the n8n process tree

Monitoring Recommendations

  • Forward n8n application logs and host process telemetry to a centralized SIEM for correlation
  • Baseline normal Execute Command node usage per user and alert on deviations in frequency or command content
  • Track authentication events for anomalous logins, credential stuffing, or new user account creation on n8n

How to Mitigate CVE-2025-71380

Immediate Actions Required

  • Restrict access to n8n instances behind VPN or an authenticated reverse proxy and disable public exposure
  • Audit all existing workflows for Execute Command node usage and remove nodes that are not business-critical
  • Rotate credentials for any n8n user accounts and enforce multi-factor authentication where supported
  • Review n8n audit logs for suspicious workflow modifications since the earliest date the instance was exposed

Patch Information

Consult the n8n GitHub Security Advisory GHSA-365g-vjw2-grx8 for the vendor's recommended remediation and any available fixed versions. Apply configuration or version updates published by n8n as soon as they are validated in a test environment.

Workarounds

  • Disable the Execute Command node globally via n8n environment configuration if it is not required
  • Run n8n as an unprivileged user inside a hardened container with read-only file systems and no host mounts
  • Apply strict role-based access so that only trusted administrators can create or edit workflows that include Execute Command nodes
bash
# Disable the Execute Command node by excluding it from allowed nodes
# Set this environment variable before starting n8n
export NODES_EXCLUDE="[\"n8n-nodes-base.executeCommand\"]"

# Run n8n as a non-root user inside a container with limited capabilities
docker run -d \
  --name n8n \
  --user 1000:1000 \
  --read-only \
  --cap-drop=ALL \
  -e NODES_EXCLUDE="[\"n8n-nodes-base.executeCommand\"]" \
  -p 127.0.0.1:5678:5678 \
  n8nio/n8n

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.