CVE-2026-25049 (CVSS 9.4) is a critical expression-sandbox escape in n8n, the open-source workflow automation platform widely used to orchestrate AI agents, RAG pipelines, and LLM tool chains.
The flaw is a bypass of the December 2025 fix for CVE-2025-68613 (CVSS 9.9). Researcher Fatih Çelik, who reported the original bug, describes both as "the same vulnerability — the second is just a bypass for the initial fix."
Root cause: A mismatch between TypeScript compile-time type system and JavaScript runtime behavior allows crafted expressions using destructuring syntax to escape the sandbox. Attackers can then call process.binding('spawn_sync') to execute arbitrary OS commands, sidestepping module restrictions.
Attack path: An authenticated user creates a workflow with a publicly accessible webhook (no auth). A single line of JS in a node expression is enough to trigger full RCE. Once the workflow is activated, anyone on the internet can hit the webhook and run commands.
Impact confirmed by Pillar Security: Full read of environment variables including N8N_ENCRYPTION_KEY, decryption of every stored credential, filesystem access, lateral movement to connected cloud accounts, and hijack of downstream AI workflows.
Affects n8n versions prior to 1.123.17 and 2.5.2. n8n Cloud was patched; the primary risk is self-hosted instances.
At least 10 independent researchers (Endor Labs, Pillar Security, SecureLayer7, and others) discovered and reported variants, indicating the attack surface was broadly accessible.
Public exploit details and PoCs are now available, increasing urgency.
Why it matters
n8n is a central hub for AI agent orchestration — it typically stores API keys for LLM providers, vector databases, SaaS tools, and cloud accounts. Compromising n8n means compromising the entire AI pipeline.
The webhook-to-RCE chain turns any internet-facing n8n instance into a one-click server takeover — no special tooling required.
This is the second critical sandbox escape in n8n in under three months (after CVE-2025-68613 in December and CVE-2026-1470 / CVE-2026-0863 in January), signaling that expression sandboxing in workflow engines remains a fragile security boundary.
What to do
Upgrade immediately to n8n ≥ 1.123.17 or ≥ 2.5.2.
Audit webhooks: Identify any workflows with public, unauthenticated webhooks and disable or restrict them until patched.
Rotate all stored credentials: Assume the N8N_ENCRYPTION_KEY and every credential stored in n8n may have been exposed if the instance was internet-reachable.
Restrict workflow creation: Treat the ability to create or edit workflows as a privileged operation — not a default for every team member.
Network isolation: Place n8n behind a VPN or zero-trust proxy; never expose it directly to the internet.