Critical Vulnerability Found in n8n Allows Attackers to Fully Compromise Servers

Critical Vulnerability Found in n8n Allows Attackers to Fully Compromise Servers

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Critical Vulnerability Found in n8n Allows Attackers to Fully Compromise Servers

Information:

   n8n is a workflow automation platform designed to improve productivity by connecting applications and systems to perform tasks automatically on behalf of users. It helps reduce repetitive work, manage data, and streamline workflows efficiently.

Incident:

  This vulnerability is tracked as CVE-2026-25049. Authenticated users with the ability to create or modify workflows can exploit this flaw to execute arbitrary commands on the server. The root cause lies in incomplete sanitization and insufficient AST-based sandboxing for JavaScript expressions, which allows attackers to bypass the previously patched vulnerability CVE-2025-68613. Several security researchers have already discovered exploitation techniques, and proof-of-concept exploits have been publicly released.

  Successful exploitation could result in severe consequences, including unauthorized command execution on the server, theft of stored credentials and API keys, access to system files and internal services, compromise of connected cloud accounts, and hijacking of AI workflows to intercept or manipulate data. In multi-tenant environments, the vulnerability may also enable attackers to access data belonging to other tenants.

Recommendation:

  n8n administrators are advised to upgrade to version 1.123.17 or 2.5.2 as soon as possible, rotate the N8N_ENCRYPTION_KEY and all stored credentials, and review workflows for any suspicious activity. If upgrading is not yet possible, access to creating and modifying workflows should be restricted to trusted users only, and n8n should be deployed in an environment with controlled system privileges and network access.

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)
065 725 7405 (Ms.Donraya)

References:

-https://thehackernews.com/2026/02/critical-n8n-flaw-cve-2026-25049.html

-https://www.techtalkthai.com/critical-n8n-vulnerabilities-sandbox-escape-rce-server-takeover/

-https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2026-20045

30/1/2026

30/1/2026

Online Music Site

Privilege Escalation

7.8

Vulnerability affecting the TeamSpeak 3 Client, the flaw stems from insecure file permissions in the application's installation directory, which allow an unprivileged local attacker to replace legitimate executables with malicious binaries. If a user with higher privileges (or the system itself) executes the compromised file, the attacker can achieve code execution with SYSTEM or Administrator level access, effectively taking full control of the affected machine.

Update to version 3.6.0 or newer

https://www.vulncheck.com/advisories/teamspeak-insecure-file-permissions


 
2

 

27/1/2026

27/1/2026

Fortinet

Authentication Bypass

9.4

A critical authentication bypass vulnerability exists in the FortiCloud Single Sign-On (SSO) mechanism across multiple Fortinet products, including FortiOS, FortiManager, and FortiAnalyzer. This flaw allows an attacker who possesses a valid FortiCloud account and at least one registered device to exploit the SSO channel and log into devices belonging to other organizations, provided those target devices have FortiCloud SSO authentication enabled. By leveraging this alternate path, the attacker can bypass standard credential requirements and gain unauthorized access to the system.

Resolve this by upgrading to the following versions:

FortiOS: 7.6.6+, 7.4.11+, 7.2.13+, and 7.0.19+

FortiProxy: 7.6.6+, 7.4.13+

FortiManager: 7.6.6+, 7.4.10+

FortiAnalyzer: 7.6.6+, 7.4.10+

https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
3

CVE-2026-21509

26/1/2026

26/1/2026

Microsoft Office

Security Feature Bypass

7.8

Vulnerability is the silent bypass of ASLR defenses. By leaking precise memory addresses, it provides attackers with an exact "map" of the system's layout, removing the guesswork typically required for exploitation. This allows hackers to reliably chain this flaw with code execution or privilege escalation attacks, enabling them to compromise the system without causing crashes that would otherwise trigger security alerts.

Update to the latest version.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
 4

CVE-2026-23842

19/1/2026

26/1/2026

ChatterBot

Denial of Service (DoS)

7.5

Vulnerability affecting the ChatterBot conversational dialog engine. The flaw resides in the library's database session management, specifically within the get_response() method; concurrent invocations of this method fail to properly release database sessions, leading to the rapid exhaustion of the underlying SQLAlchemy connection pool. This resource exhaustion causes persistent service unavailability for any application relying on ChatterBot for chat functionality, requiring a manual service restart to recover.

Update to version 1.2.11 or newer

https://github.com/gunthercox/ChatterBot/security/advisories/GHSA-v4w8-49pv-mf72
5

CVE-2026-22844

20/1/2026

26/1/2026

Zoom

Command Injection

8.1

Vulnerability affecting on-premise Zoom Node Multimedia Routers, typically used in Hybrid or Meeting Connector deployments. The vulnerability exists due to improper input validation of network protocol data, allowing an authenticated meeting participant to inject arbitrary operating system commands into the MMR service during a live session. Successful exploitation grants the attacker Remote Code Execution (RCE) on the underlying server hosting the Zoom Node, potentially allowing them to compromise the organization's private meeting infrastructure; administrators are urged to update their Zoom Node modules immediately to mitigate this risk.

Update to version 4.8.2 or newer

https://www.zoom.com/en/trust/security-bulletin/zsb-26001

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines​

09/01/2026​

Advanced Persistent Threat (APT), Zero-day Exploitation​

Security researchers have discovered that hacker groups linked to China are exploiting zero-day vulnerabilities in VMware ESXi to attack enterprise servers. Their method involves starting by exploiting outdated VPN devices to gain access to internal systems. They then combine multiple vulnerabilities to perform VM escape, allowing them to directly take over the hypervisor. This enables attackers to execute commands, scrape data from all VMs, and embed backdoors for long-term system control. Experts recommend that organizations urgently update patches, review logs, and strengthen server security measures.​
  • Update your VMware ESXiand VPN devices to the latest versions immediately.​
  • Isolate and restrict access to the Management Network/ESXiInterface while enforcing MFA.​
  • Regularly monitor logs and anomalies, and use EDR/NDR to watch for advanced attacks.​

Ref: https://thehackernews.com/2026/01/chinese-linked-hackers-exploit-vmware.html

 

10 February 2026

Viewed 44 time

Engine by shopup.com