AI Threat Alert

CVE-2026-25056

HIGH
Published February 4, 2026
CISO Take

If your organization uses n8n for AI agent orchestration or workflow automation, treat this as critical regardless of the CVSS 8.8 rating — any authenticated user with workflow edit permissions can write arbitrary files to the server filesystem and achieve RCE. Patch immediately to n8n 1.118.0 or 2.4.0; if patching is delayed, restrict workflow creation and modification permissions to a minimal set of trusted users and audit existing workflows for Merge node SQL Query usage.

Affected Systems

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
n8n npm No patch

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
N/A
KEV Status
Not in KEV
Sophistication
Trivial

Recommended Action

  1. 1. PATCH: Update n8n to version 1.118.0 (v1 branch) or 2.4.0 (v2 branch) immediately. 2. DETECT: Audit workflow logs and definitions for Merge nodes configured in SQL Query mode — query your n8n database for workflows containing this node type. 3. RESTRICT: Apply least-privilege to workflow creation and modification permissions; only trusted users should be able to create or modify workflows. 4. MONITOR: Alert on unexpected file creation events in the n8n server filesystem, particularly in web root directories, temp folders, or application directories. 5. INVENTORY: Enumerate all credentials and API keys stored in n8n workflows and rotate any that may have been exposed post-incident. 6. NETWORK: Place n8n behind a VPN or internal-only access policy; it should not be internet-exposed without strong authentication controls.

Classification

Code Execution Auth Bypass Data Extraction Agent Framework Plugin AML.T0012 AML.T0049 AML.T0050 AML.T0053 AML.T0072 AML.T0081 AML.T0083 AML.T0108

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2 - AI System Lifecycle — Development and Acquisition A.6.2.6 - AI system security and resilience A.9.4 - AI System Security
NIST AI RMF
GOVERN-1.7 - AI Risk Policies and Procedures MANAGE-2.2 - Risk Treatment
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities LLM06:2025 - Excessive Agency LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server's filesystem potentially leading to remote code execution. This issue has been patched in versions 1.118.0 and 2.4.0.

Exploitation Scenario

An adversary with a low-privilege n8n account — obtained through phishing a developer, credential stuffing, or insider access — creates or modifies a workflow containing a Merge node configured in SQL Query mode. By crafting a malicious SQL query payload, they write a web shell or malicious script to a writable directory on the n8n server filesystem. If n8n is deployed with write access to a web-served directory, the shell becomes immediately accessible. In AI-specific contexts, the attacker can overwrite n8n workflow configuration files to inject malicious tool definitions into existing AI agent workflows, causing the agent to exfiltrate data or execute adversary-controlled commands every time a legitimate user triggers the workflow. This creates a persistent, stealthy compromise of the entire AI agent orchestration layer without requiring any further user interaction.

Weaknesses (CWE)

CWE-434 Primary CWE-693 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 4, 2026
Last Modified
February 5, 2026
First Seen
February 4, 2026
Back to Threat Feed