Plattform
nodejs
Komponente
n8n
Behoben in
1.123.13
2.4.1
2.4.0
CVE-2026-25055 describes an Arbitrary File Access vulnerability within n8n, a workflow automation platform. This flaw allows unauthenticated attackers, possessing knowledge of existing workflows and unauthenticated file upload endpoints, to write files to unexpected locations on remote servers, potentially enabling remote code execution. Affected versions include those prior to 2.4.0 and 1.123.12; upgrading to a patched version is the recommended remediation.
The core of the vulnerability lies in n8n's SSH node, which handles file transfers to remote servers. When workflows process uploaded files and transfer them via this node, the metadata associated with those files is not properly validated. This lack of validation allows an attacker to manipulate the destination path, effectively writing files to arbitrary locations on the remote system. Successful exploitation hinges on the attacker's ability to identify workflows that utilize the SSH node for file transfers and to leverage unauthenticated file upload endpoints. The potential impact is severe, as writing arbitrary files to a remote system can lead to remote code execution, data corruption, or complete system compromise. This is particularly concerning in environments where n8n workflows are used to automate sensitive operations or interact with critical infrastructure.
CVE-2026-25055 was publicly disclosed on 2026-02-04. As of this writing, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog. Given the relatively recent disclosure and the lack of public exploits, the probability of active exploitation is currently considered low, but diligent monitoring is recommended.
Organizations utilizing n8n for workflow automation, particularly those involving file transfers to remote servers via the SSH node, are at risk. This includes businesses using n8n for data integration, cloud deployments, and automation pipelines. Specifically, those with legacy n8n installations or those who have not implemented robust access controls on their remote servers are at higher risk.
• nodejs / server: Monitor n8n logs for unusual file creation events or errors related to the SSH node. Use lsof or ss to identify processes accessing remote servers via SSH.
lsof -i :25 | grep n8n• generic web: Check n8n configuration files for insecure file transfer settings. Review access logs for suspicious file upload requests.
grep -i "ssh" /etc/n8n/config.yamldisclosure
Exploit-Status
EPSS
0.12% (31% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-25055 is to upgrade n8n to version 2.4.0 or 1.123.12 or later. These versions include fixes that properly validate file metadata during SSH transfers, preventing attackers from manipulating the destination path. If an immediate upgrade is not feasible, consider implementing temporary workarounds. These could include restricting access to file upload endpoints, implementing stricter file type validation within workflows, or utilizing a Web Application Firewall (WAF) to filter out malicious requests targeting the SSH node. Monitor n8n logs for unusual file access patterns or attempts to write files to unexpected locations. After upgrading, confirm the fix by attempting to trigger a workflow that previously exhibited the vulnerability and verifying that file transfers are now correctly validated.
Actualice n8n a la versión 1.123.12 o superior, o a la versión 2.4.0 o superior. Esto corrige la vulnerabilidad de escritura arbitraria de archivos a través del nodo SSH. Asegúrese de validar la metadata de los archivos subidos antes de transferirlos a servidores remotos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25055 is a HIGH severity vulnerability in n8n allowing unauthenticated attackers to write files to unintended locations on remote servers, potentially leading to remote code execution. It affects versions before 2.4.0 and 1.123.12.
You are affected if you are using n8n versions prior to 2.4.0 or 1.123.12 and have workflows that process uploaded files and transfer them to remote servers via the SSH node.
Upgrade n8n to version 2.4.0 or 1.123.12 or later. As a temporary workaround, disable the SSH node in your workflows.
There is currently no public evidence of CVE-2026-25055 being actively exploited.
Refer to the official n8n security advisory for CVE-2026-25055 on the n8n website or GitHub repository.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.