THE n8n workflow automation platform has been hit by a triple threat of remote code execution flaws, with three CVEs—CVE-2026-25053, CVE-2026-25056 and CVE-2026-25049—described as allowing authenticated attackers to fully take over the host server. CVSS scores peak at 9.4, and the flaws exploit the Git node, the Merge node, and the platform’s expression evaluation engine, turning n8n’s ability to execute complex logic into a serious liability.
The most recent flaw, CVE-2026-25053, targets the version control capabilities within the Git node and, per the advisory, “Vulnerabilities in the Git node allowed authenticated users with permission to create or modify workflows to execute arbitrary system commands or read arbitrary files on the n8n host.” According to the advisory, CVE-2026-25056 affects the Merge node’s SQL
Query mode, enabling writing arbitrary files to the server and potentially leading to remote code execution, while CVE-2026-25049 involves the expression evaluation engine and could let an authenticated user abuse crafted expressions to execute arbitrary code. Users are urged to upgrade to 2.5.0 or 1.123.10 for the Git node and to 2.4.0 or 1.118.0 for the Merge node, with a drastic workaround of limiting workflow creation and editing permissions to fully trusted users.