Critical n8n flaws discovered - here's how to stay safe

1. Pro
2. Security

Critical n8n flaws discovered - here's how to stay safe News By Sead Fadilpašić published 5 February 2026

A previously published patch left a gaping hole

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Future)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter

Sign up for breaking news, reviews, opinion, top tech deals, and more.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

An account already exists for this email address, please log in. Subscribe to our newsletter

• New flaw in n8n (CVE-2026-25049) allows unauthenticated users to run arbitrary commands on servers
• Vulnerability risks theft of secrets (API keys, OAuth tokens) and cross-tenant data exposure
• Patch released in v2.4.0; PoC already public, making immediate updates critical despite temporary workarounds

A critical vulnerability has been found in n8n which allows threat actors to run arbitrary commands on the underlying computers.

In the second half of December 2025, n8n’s developers released CVE-2025-68613, a patch for a critical Remote Code Execution (RCE) vulnerability in the workflow expression evaluation system. Now, security researchers are saying that the patch was inadequate and left exploitable holes.

These holes lead to the same result - escaping the workflow automation platform and taking over the underlying server.

You may like

• A critical n8n flaw has been discovered - here's how to stay safe
• Thousands of n8n instances under threat from top security issue
• SAP fixes serious security issues - here's how to stay safe

Proof of Concept released

This new flaw is now tracked as CVE-2026-25049. Apparently, any unauthenticated user that can create or edit workflows on the platform can also perform RCE on the n8n server. Some researchers are saying that the bug can be used to steal all secrets stored on the server, such as API keys, or OAuth tokens. Furthermore, sensitive configuration files are also at risk.

To make things worse, it is possible for threat actors to pivot from one tenant to another, stealing data from multiple organizations sharing the same environment.

“The attack requires nothing special. If you can create a workflow, you can own the server,” Pillar Security said in a report.

On December 30, n8n developers acknowledged the mishap and released version 2.4.0 two weeks later. If you are actively using n8n, it is advised to apply the patch as soon as possible, especially since a Proof-of-Concept (PoC) is already released.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

BleepingComputer notes researchers from Endor Labs were the ones publishing the PoC.

"In all versions prior to 2.5.2 and 1.123.17, the sanitization function assumes keys in property accesses are strings in attacker-controlled code," Endor Labs explained.

Those that cannot apply the patch right now can deploy a workaround, that includes limiting workflow creation and editing permissions to fully trusted users only and deploying n8n in a hardened environment with restricted OS privileges and network access.

You may like

• A critical n8n flaw has been discovered - here's how to stay safe
• Thousands of n8n instances under threat from top security issue
• SAP fixes serious security issues - here's how to stay safe

Still, the developers warned that this can only be considered a temporary workaround and that patching is still the best way to actually fix the issue.

At press time, there were no reported cases of abuse in the wild.

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View More

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more A critical n8n flaw has been discovered - here's how to stay safe    Thousands of n8n instances under threat from top security issue    SAP fixes serious security issues - here's how to stay safe    This WebUI vulnerability allows remote code execution - here's how to stay safe    ServiceNow patches critical security flaw which could allow user impersonation    This SmarterMail vulnerability allows Remote Code Execution - here's what we know    Latest in Security Startups, listen up: Proton says you're not "too small" to be hacked    ExpressVPN unveils new standalone password manager – ExpressKeys is now available for iOS and Android    NGINX servers hijacked in global campaign to redirect traffic    Personal data stolen during Harvard and UPenn data breaches leaked online - over a million details, including emails, home addresses and more, all published    Dangerous new malware exploits WinRAR flaw - here's what we know    More than 40,000 WordPress sites affected by new malware flaw - find out if you're affected    Latest in News The Elder Scrolls 4: Oblivion Remastered is coming to Nintendo Switch 2 this year, along with two other huge Bethesda games    Forget Seahawks vs Patriots: Wix vs Squarespace is the real showdown at Super Bowl 2026    Sony says Ghost of Yotei made a 'significant contribution' to the 8 million PS5 units that were sold in late 2025, a feat that surpassed the Nintendo Switch 2 by 1 million units    Critical n8n flaws discovered - here's how to stay safe    Steam Machine is delayed due to RAM crisis — and price is to be 'revisited'    Marvel fans have their say on two new rumors about Avengers: Secret Wars    LATEST ARTICLES

1. 1Critical n8n flaws discovered - here's how to stay safe
2. 2The Elder Scrolls 4: Oblivion Remastered is coming to Nintendo Switch 2 this year, along with two other huge Bethesda games
3. 3Startups, listen up: Proton says you're not "too small" to be hacked
4. 4NGINX servers hijacked in global campaign to redirect traffic
5. 5Forget Seahawks vs Patriots: Wix vs Squarespace is the real showdown at Super Bowl 2026