Critical Sandbox Escapes in n8n AI Platform Enable Full Server Takeover
Take action: This is another important and urgent flaw in n8n. Update your n8n instances to the latest version ASAP and rotate all stored API keys and encryption secrets. Since these flaws allow full server takeover, you must assume any credentials stored in an unpatched instance are already compromised.
Learn More
Another critical vulnerability is reported in n8n, a widely used open-source workflow automation platform
The latest flaw is tracked as GHSA-6cqr-8cfr-67f8, CVE-2026-25049 (CVSS score 10.0) - A critical bypass of the initial fix of CVE-2025-68613 which was a sandbox escape where the platform's expression sanitizer failed to account for specific JavaScript syntax. Attackers used template literals and arrow functions to bypass property blocklists and access the global process object via the Error.prepareStackTrace hook.
The new vulnerability occurs because the patched sanitizer only inspected property access (MemberExpressions) and ignored function arguments (CallExpressions). By using Object.defineProperty instead of direct assignment, attackers could still manipulate sensitive hooks to escape the sandbox. This flaw enables full remote code execution even on systems that applied the first patch.
Successful exploitation grants attackers complete access to the host filesystem and environment variables, including the N8N_ENCRYPTION_KEY. With this key, attackers can decrypt all stored credentials, including API keys for OpenAI, Anthropic, and Azure OpenAI, cloud provider credentials for AWS and Azure, database passwords and OAuth tokens.
In cloud environments, a single compromised tenant could potentially move laterally to access shared infrastructure and other customers' data within the Kubernetes cluster.
The vulnerabilities impact n8n versions prior to 1.123.17 and versions between 2.0.0 and 2.5.2.
Pillar Security researchers demonstrated that the attack requires no special permissions beyond the ability to create or edit a workflow.
Organizations should upgrade to n8n version 1.123.17 or 2.5.2 ASA{ to resolve these flaws. After patching, administrators should rotate the N8N_ENCRYPTION_KEY and all stored credentials, as they must be considered compromised if an affected version was exposed.
Temporary mitigations are restricting workflow creation to fully trusted users and deploying n8n in hardened environments with limited network access.
