Six more vulnerabilities have been discovered in the n8n workflow platform used for building LLM-powered agents to connect business processes. Four of the six are rated as critical, carrying CVSS severity scores of 9.4.
“These vulnerabilities span multiple attack classes, from remote code execution and command injection to arbitrary file access and cross-site scripting, all targeting a platform that is frequently deployed with access to secrets, credentials, internal APIs, and business-critical logic,” noted Amit Genkin, a security researchers at Israel-based cloud security provider Upwind, who blogged about the vulnerabilities this week.
Johannes Ullrich, dean of research at the SANS Institute, said the vulnerabilities affect how n8n sandboxes the processes created by different users, and how the host is protected from users with access to n8n.
“This is less of an issue for a single user system,” he said in an email, “but n8n is often installed in shared environments. Given the number and severity of the vulnerabilities, it is fair to assume that this is more or less just the ‘tip of the iceberg’. At this point, multi user n8n deployments should be treated with care.”
The discovery is the second major revelation of issues in the n8n platform this year. Four weeks ago, researchers at Cyera published details of a critical vulnerability, after it had been patched, that would allow unauthenticated attackers to completely take over n8n deployments.
Also last month, it was learned that threat actors are targeting n8n by planting malicious packages on the npm registry that claim to be legitimate n8n add-ons.
CSOs with n8n in their environments and developers using the platform should update to the latest version of the application to close the newly-found holes.
The vulnerabilities are:
- CVE-2026-21893, a command injection hole in the community edition of n8n. An unauthenticated user with administration permission could execute arbitrary system commands on the n8n host.
“The risk is amplified by the trust typically placed in community extensions,” Upwinds said in its commentary, “making this a high-impact attack path that directly bridges application-level functionality with host-level execution.
It carries a CVSS vulnerability score of 9.4; - CVE-2026-25049, which carries a CVSS score of 9.4. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.
“Because workflow expressions are a core and commonly used feature in n8n, this flaw significantly lowers the barrier to exploitation and enables full compromise of the underlying host,” commented Upwind in its blog; - CVE-2026-25052, which carries a CVSS score of 9.4. A vulnerability in the file access controls allows authenticated users with permission to create or modify workflows to read sensitive files from the n8n host system. This can be exploited to obtain critical configuration data and user credentials, leading to complete account takeover of any user on the instance;
- CVE-2026-25053, which carries a CVSS score of 9.4. This is a vulnerability in the Git node that allows execution of system commands or arbitrary file access;
- CVE-2026-25051, a cross-site scripting vulnerability in the handling of webhook responses and related HTTP endpoints. It carries a CVSS score of 8.5.
Under certain conditions, the n8n Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when other users interact with the crafted workflow. This could lead to session hijacking and account takeover. - CVE-2025-61917, which carries a CVSS score of 7.7. This is an information disclosure vulnerability caused by unsafe buffer allocation in n8n task runners.
During an interview, Moshe Hassan, Upwind’s vice-president of research and innovation, estimated that 83% of his firm’s customers use the n8n platform. But, he added, less than 25% use it in production and/or may have it exposed to the web. The rest, he said, are testing it.
However, he said those who are evaluating the platform could be at risk if the users enter identity tokens for cloud platforms such as AWS and others as part of their testing. And the fact that large numbers of developers are testing the latest AI-related applications makes it hard for security pros to contain the blast radius of potential vulnerabilities in IT environments, he added.
Generally, to contain vulnerabilities, CSOs have to understand the business logic and data flow of any applications in their environments, Hassan noted. However, risk can be lowered through network segregation, he said, and in addition, engineering should be allowed to create sandboxes for thorough testing of applications before they go into production.