When the Sandbox Breaks: How n8n's CVSS 9.4 Flaw Exposes the Limits of Expression Evaluation: A Deep Dive
A single line of JavaScript can bypass five security layers in n8n's expression sandbox. The flaw — a bypass of a previous CVSS 9.9 fix — exposes fundamental challenges in securing platforms that evaluate user code.
From The Bit Baker Daily Briefing — February 8, 2026
Some bugs haunt you. The really bad ones? They come back wearing a different face. CVE-2026-25049 is that kind of vulnerability — a CVSS 9.4 sandbox escape in n8n that grants attackers arbitrary command execution on the host system. Worse, it's a direct bypass of CVE-2025-68613, the CVSS 9.9 flaw that was supposedly patched two months ago.
For those unfamiliar: n8n is an open-source workflow automation platform. Hundreds of thousands of organizations rely on it to wire services together, automate repetitive operations, and — with growing frequency — orchestrate entire AI agent pipelines. At its core, n8n evaluates user-supplied expressions through a JavaScript-based sandbox. Break that sandbox, and you own the server.
Security researcher Fatih Celik found both flaws. His assessment was blunt: the two vulnerabilities "could be considered the same vulnerability, as the second one is just a bypass for the initial fix." Same root weakness, different exploit path. The expression evaluation mechanism — the beating heart of n8n's workflow engine — can still be coerced into running arbitrary code outside its containment.
Why It Matters
This is not a story about one CVE. Not even close. Alongside CVE-2026-25049, n8n disclosed 11 additional security flaws, five of them critical at CVSS 9.4. The roster reads like a penetration tester's wish list: command injection via admin access, a time-of-check-time-of-use file access bug enabling account takeover, OS command injection in the Git node, arbitrary file write in the Merge node, and Python sandbox escape when task runners are active.
Think about what n8n touches in a typical enterprise. It's the connective tissue — plugged into databases, SaaS platforms, internal APIs, cloud infrastructure. An attacker who pops n8n doesn't just get a foothold on one box. They inherit the keys to everything that workflow engine is wired into. In many organizations, that means nearly the entire digital estate.
And then there's the AI dimension, which I think too few people are weighing seriously enough. n8n is fast becoming a go-to orchestration layer for AI agents — workflows that ingest external data, interact with LLMs, and take automated actions based on model outputs. These pipelines introduce attack surfaces that simply didn't exist twelve months ago. Compromising the orchestrator means compromising every decision the agents make downstream.
What's Under the Hood
The underlying flaw is almost elegant in its simplicity: a TypeScript/JavaScript type mismatch that collapses the entire defensive architecture. n8n built five distinct security layers around its sandbox — regex checks, AST (Abstract Syntax Tree) sanitization, a runtime validator, function sanitizer, and dangerous property removal. That's a serious investment in defense-in-depth. But TypeScript's compile-time guarantees don't survive the transition to runtime JavaScript. An attacker can feed non-string values — objects, arrays, symbols — where the sanitizers expect strings, and every single check falls over.
The actual exploit? It borders on insulting. As SecureLayer7 documented, "by adding a single line of JavaScript using destructuring syntax, the workflow can be abused to execute system-level commands." One line. The attacker crafts a workflow containing a public, unauthenticated webhook and buries a malicious expression that calls process.binding() to reach native OS functionality. Someone hits the webhook URL, the expression evaluates outside the sandbox with full process-level privileges, and it's game over.
That public webhook piece is the detail that turns this from a serious authenticated RCE into something far more dangerous. Any workflow exposing a public webhook becomes an internet-facing attack surface — no n8n credentials required. Just the URL.
The good news: patches exist in n8n versions 1.123.17 and 2.5.2. For shops that can't patch right away, the interim mitigations are simple to describe but painful to implement — lock down workflow creation and editing to fully trusted users only, and kill public webhooks entirely.
What to Watch
- Whether the new fix holds. The fact that CVE-2026-25049 is a bypass of CVE-2025-68613 raises the question: is there a CVE-2026-XXXXX waiting? Expression sandbox escapes in JavaScript are notoriously hard to fix completely because the language's dynamic nature works against containment.
- Impact on the AI agent ecosystem. n8n is increasingly used as orchestration layer for AI agents. If enterprise AI systems built on n8n were exposed to unauthenticated RCE, the implications extend beyond traditional automation into AI safety and data integrity.
- The broader pattern of workflow automation security. n8n isn't the only platform that evaluates user expressions. Zapier, Make, Power Automate, and similar tools face related challenges. This disclosure may prompt security audits across the category.