Platform
nodejs
Component
n8n
Fixed in
1.123.13
2.4.1
2.4.0
CVE-2026-25055 describes an Arbitrary File Access vulnerability within n8n, a workflow automation platform. This flaw allows unauthenticated attackers, possessing knowledge of existing workflows and unauthenticated file upload endpoints, to write files to unexpected locations on remote servers, potentially enabling remote code execution. Affected versions include those prior to 2.4.0 and 1.123.12; upgrading to a patched version is the recommended remediation.
The core impact of CVE-2026-25055 lies in the potential for remote code execution (RCE) on remote servers. This occurs because workflows that process uploaded files and transfer them via the SSH node fail to properly validate file metadata. An attacker can craft malicious file uploads, leveraging this validation failure to dictate where the file is written on the remote system. Successful exploitation could allow an attacker to overwrite critical system files, install malware, or gain persistent access to the remote server. The blast radius extends to any remote server accessible through vulnerable n8n workflows, making this a significant risk for organizations relying on n8n for automation tasks involving file transfers.
CVE-2026-25055 was publicly disclosed on February 4, 2026. The vulnerability's exploitation requires prior knowledge of existing n8n workflows and unauthenticated file upload endpoints, which may limit immediate widespread exploitation. There is no indication of this vulnerability being actively exploited at the time of writing, nor is it listed on the CISA KEV catalog. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature suggests that a POC could be developed relatively easily.
Exploit Status
EPSS
0.12% (31% percentile)
CISA SSVC
The primary mitigation for CVE-2026-25055 is upgrading n8n to version 2.4.0 or 1.123.12 or later. These versions include fixes to properly validate file metadata during file transfers. If an immediate upgrade is not feasible, consider temporarily disabling the SSH node within n8n workflows to prevent file transfers. Additionally, review existing workflows to identify any that handle uploaded files and ensure appropriate access controls are in place on the remote servers. Implement strict file access permissions on the remote servers to limit the impact of a potential write operation. After upgrading, confirm the fix by attempting a file transfer via the SSH node with a known malicious file and verifying that the file is not written to an unintended location.
Update n8n to version 1.123.12 or later, or to version 2.4.0 or later. This corrects the arbitrary file write vulnerability via the SSH node. Ensure you validate the metadata of uploaded files before transferring them to remote servers.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25055 is a HIGH severity vulnerability in n8n allowing unauthenticated attackers to write files to unintended locations on remote servers, potentially leading to remote code execution. It affects versions before 2.4.0 and 1.123.12.
You are affected if you are using n8n versions prior to 2.4.0 or 1.123.12 and have workflows that process uploaded files and transfer them to remote servers via the SSH node.
Upgrade n8n to version 2.4.0 or 1.123.12 or later. As a temporary workaround, disable the SSH node in your workflows.
There is currently no public evidence of CVE-2026-25055 being actively exploited.
Refer to the official n8n security advisory for CVE-2026-25055 on the n8n website or GitHub repository.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.