CVE-2026-25052

n8n is an open source workflow automation platform. Prior to versions 1.123.18 and 2.5.0, a vulnerability in the file access controls allows authenticated users with permission to create or modify workflows to read sensitive files from the n8n host system. This can be exploited to obtain critical configuration data and user credentials, leading to complete account takeover of any user on the instance. This issue has been patched in versions 1.123.18 and 2.5.0.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:n8n:n8n::::::node.js::*
	cpe:2.3:a:n8n:n8n::::::node.js::*

History

No history.

Information

Published : 2026-02-04 17:16

Updated : 2026-02-05 20:32

NVD link : CVE-2026-25052

Mitre link : CVE-2026-25052

CVE.ORG link : CVE-2026-25052

JSON object : View

Products Affected

n8n

n8n

CWE

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

NVD-CWE-Other

{"id": "CVE-2026-25052", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-04T17:16:23.113", "references": [{"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-367"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Prior to versions 1.123.18 and 2.5.0, a vulnerability in the file access controls allows authenticated users with permission to create or modify workflows to read sensitive files from the n8n host system. This can be exploited to obtain critical configuration data and user credentials, leading to complete account takeover of any user on the instance. This issue has been patched in versions 1.123.18 and 2.5.0."}, {"lang": "es", "value": "n8n es una plataforma de automatizaci\u00f3n de flujos de trabajo de c\u00f3digo abierto. Antes de las versiones 1.123.18 y 2.5.0, una vulnerabilidad en los controles de acceso a archivos permite a usuarios autenticados con permiso para crear o modificar flujos de trabajo leer archivos sensibles del sistema anfitri\u00f3n de n8n. Esto puede ser explotado para obtener datos de configuraci\u00f3n cr\u00edticos y credenciales de usuario, lo que lleva a una toma de control completa de la cuenta de cualquier usuario en la instancia. Este problema ha sido parcheado en las versiones 1.123.18 y 2.5.0."}], "lastModified": "2026-02-05T20:32:11.497", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "C1A36047-7403-4520-87D8-2E595FB23EE9", "versionEndExcluding": "1.123.18"}, {"criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "95E3F80B-2B36-4FF8-ACF7-59ED730DFBDB", "versionEndExcluding": "2.5.0", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}