n8n Sandbox Escape CVE-2026-25049 Bypasses Prior Fix

Security researchers at Endor Labs disclosed a critical vulnerability in n8n that bypasses fixes for a previous sandbox escape flaw patched just two months ago. CVE-2026-25049 (CVSS 9.4) allows attackers to escape n8n's JavaScript sandbox and execute arbitrary system commands through malicious workflow configurations.

This is the third critical n8n vulnerability in three months. We covered CVE-2026-21858 ("Ni8mare") in January—a CVSS 10.0 unauthenticated RCE. n8n patched that in version 1.121.0. Then came CVE-2025-68613, a sandbox escape fixed in December. Now CVE-2026-25049 bypasses that December fix.

The pattern suggests n8n's sandbox architecture has fundamental design weaknesses that single patches aren't fully addressing.

How the Bypass Works

CVE-2025-68613 was patched by adding input sanitization to prevent malicious expressions from escaping the sandbox. The fix checked whether function parameters were strings before allowing execution.

CVE-2026-25049 bypasses this through type confusion. JavaScript's loose typing means attackers can pass objects that satisfy the string check while actually containing malicious payloads. Endor Labs' technical writeup explains that the sanitization function performed safety checks assuming the input was a string, but didn't verify the type at runtime.

An attacker creates a workflow containing an expression node with a carefully crafted payload. When n8n evaluates the expression, the type confusion allows the payload to escape the sandbox and execute commands on the underlying server.

Attack Requirements

Exploitation requires the ability to create or modify workflows on the target n8n instance. In multi-tenant environments or instances with registration enabled, this creates direct exposure. For locked-down deployments with strong authentication, the blast radius is smaller—but not zero.

The more concerning scenario involves supply chain attacks targeting n8n templates. Malicious workflow templates shared on community forums or imported from untrusted sources could contain the exploit payload, triggering execution when a legitimate admin imports and runs the workflow.

Patches and Mitigations

n8n addressed CVE-2026-25049 in version 2.5.2 by implementing proper runtime type checking. The updated sanitization function verifies that the property parameter is actually a string before proceeding with safety checks.

Organizations running n8n should:

1. Upgrade immediately to version 2.5.2 or later
2. Audit workflow imports - Review any templates imported from external sources
3. Restrict workflow creation - Limit who can create and modify workflows
4. Monitor execution logs - Watch for unusual command execution patterns

Broader Workflow Automation Risk

n8n isn't alone in facing these challenges. Workflow automation platforms that allow user-defined code or expressions inherently struggle with sandboxing. The same capabilities that make these tools powerful—integrating with external systems, running custom logic, processing arbitrary data—create security surface area.

The CVSS 9.4 rating reflects the severity: an attacker with workflow creation privileges can fully compromise the n8n server and potentially pivot to connected systems. Most n8n deployments integrate with databases, cloud services, and internal APIs—all accessible once the server is owned.

For organizations evaluating n8n or similar platforms, this incident reinforces the need for defense in depth: network segmentation limiting what the n8n server can reach, least-privilege credentials for integrations, and monitoring that catches unusual behavior even if the application layer is compromised.