CVE-2026-25055 Overview
CVE-2026-25055 is a path traversal vulnerability affecting n8n, an open source workflow automation platform. The vulnerability exists in workflows that process uploaded files and transfer them to remote servers via the SSH node. When file metadata is not properly validated, attackers can manipulate file paths to write files to unintended locations on remote systems, potentially leading to remote code execution.
Critical Impact
This path traversal flaw can enable unauthenticated attackers to achieve remote code execution on systems connected via SSH nodes when workflow endpoints lack authentication.
Affected Products
- n8n versions prior to 1.123.12
- n8n versions prior to 2.4.0
- n8n workflow automation platform (Node.js)
Discovery Timeline
- 2026-02-04 - CVE-2026-25055 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-25055
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal), a weakness that occurs when software uses external input to construct a pathname intended to identify a file or directory located underneath a restricted parent directory. The n8n workflow automation platform fails to properly validate file metadata when workflows process uploaded files and transfer them to remote servers through SSH nodes.
The attack requires specific prerequisites to be exploited: an attacker must have knowledge that such vulnerable workflows exist, and the file upload endpoints must be unauthenticated. When these conditions are met, an attacker can craft malicious file uploads with manipulated metadata containing path traversal sequences (such as ../) to escape the intended directory structure on remote systems.
The impact is significant as successful exploitation can result in arbitrary file writes on remote systems connected via SSH, which can be leveraged into remote code execution through various techniques such as overwriting configuration files, cron jobs, or SSH authorized keys.
Root Cause
The root cause of this vulnerability lies in the insufficient validation of file metadata within n8n's SSH node implementation. When workflows transfer uploaded files to remote servers, the platform does not sanitize or validate the filename and path components against path traversal attempts. This allows specially crafted filenames containing directory traversal sequences to bypass intended directory restrictions and write files to arbitrary locations on the remote file system.
Attack Vector
The attack vector is network-based and can be exploited without authentication under specific conditions. An attacker must first identify an n8n instance with workflows that:
- Accept file uploads through unauthenticated endpoints
- Process and transfer those files to remote servers via SSH nodes
- Do not implement additional validation on file metadata
The attacker can then submit a malicious file with a crafted filename containing path traversal sequences. When the workflow processes this file and transfers it via SSH, the file is written to an unintended location on the remote system, potentially enabling code execution through mechanisms like cron job manipulation or SSH key injection.
For technical implementation details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-25055
Indicators of Compromise
- File uploads containing path traversal sequences such as ../, ..%2f, or ..%5c in filenames
- Unexpected files appearing in system directories on SSH-connected remote servers
- Workflow execution logs showing file transfers to paths outside expected directories
- Authentication logs showing unauthorized access to file upload endpoints
Detection Strategies
- Monitor n8n workflow logs for file upload activities with suspicious filenames containing traversal patterns
- Implement web application firewall (WAF) rules to detect and block path traversal attempts in file upload requests
- Review SSH transfer logs on connected remote systems for writes to sensitive directories
- Deploy file integrity monitoring on remote systems to detect unauthorized file modifications
Monitoring Recommendations
- Enable verbose logging on n8n instances to capture detailed file upload and transfer activities
- Implement centralized log collection for n8n workflows and connected SSH endpoints
- Configure alerts for file operations targeting sensitive paths such as /etc/, /root/, and cron directories
- Regularly audit workflow configurations for unauthenticated file upload endpoints
How to Mitigate CVE-2026-25055
Immediate Actions Required
- Upgrade n8n to version 1.123.12 or later for the 1.x branch
- Upgrade n8n to version 2.4.0 or later for the 2.x branch
- Review all workflows for unauthenticated file upload endpoints and add authentication requirements
- Audit existing workflows that transfer files via SSH nodes for proper input validation
Patch Information
n8n has released security patches addressing this vulnerability. Organizations should update to the following versions:
- Version 1.123.12 for users on the 1.x release branch
- Version 2.4.0 for users on the 2.x release branch
The patches implement proper validation of file metadata to prevent path traversal attacks when files are transferred to remote systems via SSH nodes. For detailed patch information, consult the n8n GitHub Security Advisory.
Workarounds
- Enable authentication on all workflow endpoints that accept file uploads
- Implement additional input validation at the workflow level to sanitize filenames before SSH transfer
- Restrict SSH node permissions to limit write access to specific directories on remote systems
- Use network segmentation to limit exposure of n8n instances accepting file uploads
# Example: Restrict SSH user to specific directory on remote systems
# Add to /etc/ssh/sshd_config on target SSH servers
Match User n8n-workflow
ChrootDirectory /var/n8n-uploads
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
