CVE-2026-25052 Overview
CVE-2026-25052 is a critical file access control vulnerability affecting n8n, the popular open source workflow automation platform. This security flaw allows authenticated users with workflow creation or modification permissions to bypass file access controls and read sensitive files from the n8n host system. The vulnerability enables attackers to extract critical configuration data and user credentials, potentially leading to complete account takeover of any user on the affected instance.
Critical Impact
Authenticated attackers can read arbitrary files from the host system, exposing configuration data and credentials that enable complete account takeover of any user on the n8n instance.
Affected Products
- n8n versions prior to 1.123.18
- n8n versions prior to 2.5.0
- n8n for Node.js (all vulnerable versions)
Discovery Timeline
- 2026-02-04 - CVE-2026-25052 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-25052
Vulnerability Analysis
This vulnerability stems from inadequate file access controls within n8n's workflow processing engine. The platform fails to properly restrict file system operations initiated through workflow configurations, allowing authenticated users to craft workflows that access files outside of intended boundaries on the host system.
The attack is network-accessible and requires only low-privilege authentication—specifically, the ability to create or modify workflows. No user interaction is required for exploitation. The impact extends beyond the immediate n8n application, affecting the confidentiality, integrity, and availability of both the vulnerable system and potentially connected systems that rely on compromised credentials.
This vulnerability is classified under CWE-367 (Time-of-check Time-of-use Race Condition), indicating that the file access control mechanism may be susceptible to race condition attacks where file permissions are checked at one time but the file is accessed at another, allowing unauthorized access.
Root Cause
The root cause lies in insufficient validation and access control enforcement when workflows interact with the file system. The n8n platform does not adequately sandbox file operations within workflows, allowing authenticated users to specify file paths that traverse outside the intended working directories. This lack of proper path validation and access control checking enables unauthorized access to sensitive system files, configuration data, and stored credentials.
Attack Vector
The attack vector is network-based and requires an authenticated user with permissions to create or modify workflows within the n8n platform. An attacker would:
- Authenticate to the n8n instance with valid credentials that include workflow creation/modification privileges
- Create or modify a workflow to include nodes that perform file read operations
- Configure the workflow to target sensitive files on the host system (e.g., configuration files, credential stores)
- Execute the workflow to exfiltrate sensitive data
- Use the obtained credentials to perform account takeover of other users on the instance
The vulnerability is particularly dangerous in multi-tenant environments or instances where workflow permissions are granted to users who should not have access to system-level files. Once credentials are obtained, attackers can escalate their access to any user account on the platform.
Detection Methods for CVE-2026-25052
Indicators of Compromise
- Unusual workflow executions that attempt to access system files or configuration directories
- Workflow nodes configured with file paths pointing to sensitive locations such as /etc/, credential storage directories, or n8n configuration files
- Authentication events from accounts that were not expected to have activity
- Multiple failed or successful login attempts following workflow executions
Detection Strategies
- Monitor workflow configurations for file path operations targeting sensitive system directories
- Implement audit logging for all workflow creation and modification events
- Alert on workflows containing file system operations that reference paths outside normal working directories
- Review authentication logs for signs of credential compromise following suspicious workflow activity
Monitoring Recommendations
- Enable comprehensive logging for workflow executions and file system access attempts
- Deploy file integrity monitoring on critical configuration files and credential stores
- Implement real-time alerting for access attempts to sensitive directories from the n8n process
- Regularly audit user permissions to ensure workflow creation rights are limited to trusted users
How to Mitigate CVE-2026-25052
Immediate Actions Required
- Upgrade n8n to version 1.123.18 or 2.5.0 immediately
- Audit all existing workflows for suspicious file access patterns
- Review user permissions and restrict workflow creation/modification rights to essential personnel only
- Rotate all credentials stored within the n8n instance as a precautionary measure
Patch Information
n8n has released security patches addressing this vulnerability in versions 1.123.18 and 2.5.0. Organizations should upgrade to these versions or later immediately. Detailed information about the security fix is available in the GitHub Security Advisory GHSA-gfvg-qv54-r4pc.
Workarounds
- Restrict network access to the n8n instance to trusted IP addresses only
- Implement additional authentication layers such as VPN requirements for accessing the n8n interface
- Temporarily revoke workflow creation and modification permissions from non-essential users until patching is complete
- Run n8n in a containerized environment with strict file system isolation to limit the impact of potential exploitation
# Upgrade n8n to patched version
npm update n8n@1.123.18
# Or for version 2.x
npm update n8n@2.5.0
# Verify installed version
n8n --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
