n8n Sandbox Escape: A Critical Reminder That Patches Need Patches
CVE-2026-25049 (CVSS 9.4) bypasses the fix for CVE-2025-68613 using JavaScript destructuring tricks. Authenticated users can escape n8n expression sandbox and achieve RCE via webhook-triggered workflows. Four additional CVEs disclosed alongside.
Remember that critical n8n vulnerability from December? The one with the 9.9 CVSS score that let attackers break out of the expression sandbox and run system commands? Yeah, the patch didn't quite stick.
CVE-2026-25049 landed this week with a CVSS score of 9.4, and it's essentially the same bug wearing a different hat. Security researchers found that the original fix for CVE-2025-68613 could be bypassed using some clever JavaScript destructuring tricks that exploit the gap between TypeScript's compile-time type checking and JavaScript's runtime behavior. In plain English: the sanitization function assumed it was getting strings, attackers sent it objects instead, and the security checks just... waved them through.
The attack itself is embarrassingly simple. An authenticated user creates a workflow with a publicly accessible webhook (no authentication required on the endpoint), drops a single line of malicious JavaScript into the workflow using destructuring syntax, and activates it. From that moment, anyone on the internet who hits that webhook can run commands on your server. Steal credentials, exfiltrate data, install backdoors — the whole menu is available.
"If you can create a workflow, you can own the server," noted Pillar Security's Eilon Cohen. That's not hyperbole. The vulnerability gives attackers access to API keys, cloud provider credentials, database passwords, OAuth tokens, and lets them pivot to connected cloud accounts. If you're running n8n with AI workflow integrations (which many organizations are), those are now compromised too.
But wait, there's more. Alongside CVE-2026-25049, n8n disclosed four additional security flaws this week. CVE-2026-25053 is another critical command injection bug, this time in the Git node. CVE-2026-25054 is a stored XSS vulnerability in the markdown rendering component that could lead to session hijacking. CVE-2026-25055 allows path traversal attacks through the SSH node. And CVE-2026-25056 hits the Merge node's SQL Query mode with arbitrary file write capabilities.
If you're running n8n, stop reading and go patch. Seriously. The fixed versions are 2.5.0 or 1.123.10 and later, depending on which vulnerability you're addressing. If you absolutely cannot patch immediately, lock down workflow creation permissions to only your most trusted users and consider deploying n8n in an isolated environment with restricted OS privileges and network access.
The broader lesson here is one security teams know but organizations keep forgetting: one layer of validation isn't enough. TypeScript's type system looks bulletproof until an attacker crafts input at runtime that the compiler never saw. Sanitization functions that work perfectly against expected inputs crumble when someone sends something unexpected. Defense in depth isn't a buzzword — it's why your production servers aren't currently mining cryptocurrency.