CVE-2026-25056 Overview
CVE-2026-25056 is a critical arbitrary file write vulnerability affecting n8n, a popular open source workflow automation platform. The vulnerability exists in the Merge node's SQL Query mode, where authenticated users with permission to create or modify workflows can write arbitrary files to the n8n server's filesystem. This file write capability can be leveraged to achieve remote code execution (RCE), making this a severe security issue for organizations running vulnerable versions of n8n.
Critical Impact
Authenticated attackers can write arbitrary files to the server filesystem, potentially leading to complete system compromise through remote code execution.
Affected Products
- n8n versions prior to 1.118.0
- n8n versions prior to 2.4.0
- n8n workflow automation platform for Node.js
Discovery Timeline
- 2026-02-04 - CVE-2026-25056 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-25056
Vulnerability Analysis
This vulnerability is classified as CWE-434 (Unrestricted Upload of Dangerous File Type), though in this case it manifests specifically as an arbitrary file write condition within the Merge node component. The attack requires network access and low-level privileges (authenticated user with workflow creation or modification permissions), but once these prerequisites are met, exploitation requires no user interaction and has low attack complexity.
The impact is severe across all three security dimensions: confidentiality, integrity, and availability are all highly impacted. Furthermore, the vulnerability has scope change implications, meaning a successful exploit can affect resources beyond the vulnerable component itself, potentially compromising the entire server infrastructure.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and path sanitization within the Merge node's SQL Query mode functionality. When processing SQL queries, the component fails to properly validate or restrict file paths, allowing authenticated users to specify arbitrary filesystem locations for file write operations. This lack of proper boundary enforcement enables attackers to write files to sensitive directories on the n8n server.
Attack Vector
The attack is network-based and exploits the Merge node's SQL Query mode feature. An authenticated attacker with workflow creation or modification privileges can craft a malicious workflow that abuses the SQL Query mode to write arbitrary content to arbitrary locations on the server filesystem.
The exploitation path typically follows this pattern:
- Attacker authenticates to the n8n platform with appropriate workflow privileges
- Attacker creates or modifies a workflow containing a Merge node configured with SQL Query mode
- Attacker crafts the SQL query parameters to specify a malicious file path and content
- Upon workflow execution, the arbitrary file is written to the server filesystem
- Attacker leverages the written file (e.g., web shell, cron job, SSH key) to achieve remote code execution
For detailed technical information about the exploitation mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-25056
Indicators of Compromise
- Unexpected file creation events in sensitive directories (e.g., /tmp, web roots, cron directories, SSH configuration paths)
- Workflow configurations containing suspicious Merge nodes with SQL Query mode targeting filesystem paths
- Unusual workflow execution patterns from accounts with limited business need for file operations
- New or modified files in application directories that do not match expected deployment artifacts
Detection Strategies
- Monitor n8n workflow audit logs for creation or modification of workflows containing Merge nodes with SQL Query mode
- Implement file integrity monitoring (FIM) on the n8n server to detect unauthorized file writes
- Review user permissions and identify accounts with workflow creation/modification privileges for potential abuse
- Deploy endpoint detection and response (EDR) solutions to identify post-exploitation activities following arbitrary file writes
Monitoring Recommendations
- Enable comprehensive logging for all workflow creation, modification, and execution events in n8n
- Configure alerts for file write operations to directories outside normal application scope
- Monitor for execution of newly created files or scripts on the n8n server
- Implement network monitoring to detect reverse shells or C2 communications that may follow successful exploitation
How to Mitigate CVE-2026-25056
Immediate Actions Required
- Upgrade n8n to version 1.118.0 or 2.4.0 (or later) immediately
- Review all existing workflows for suspicious Merge node configurations with SQL Query mode
- Audit user accounts with workflow creation/modification permissions and apply principle of least privilege
- Conduct forensic analysis of the n8n server filesystem to identify any unauthorized file writes
Patch Information
n8n has addressed this vulnerability in versions 1.118.0 and 2.4.0. Organizations should upgrade to these patched versions or later as the primary remediation action. The security advisory is available at the GitHub Security Advisory page.
| Affected Version | Fixed Version |
|---|---|
| < 1.118.0 | 1.118.0 |
| < 2.4.0 | 2.4.0 |
Workarounds
- Restrict workflow creation and modification permissions to only trusted administrative users until patching is complete
- Implement network segmentation to limit the blast radius of a potential compromise
- Deploy application-level firewall rules to restrict access to the n8n interface
- Consider temporarily disabling the Merge node's SQL Query mode functionality if operationally feasible
# Upgrade n8n to patched version using npm
npm update n8n@latest
# Verify the installed version
n8n --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
