ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
n8n Vulnerability Analysis: CVE-2025-68613, CVE-2026-21858, CVE-2026-25049
2026.02.11

✅ Report Title: n8n Vulnerability Analysis: CVE-2025-68613, CVE-2026-21858, CVE-2026-25049



✅ Executive Summary:


- S2W Threat Intelligence Center TALON analyzed exploitation potential and mitigation measures for three selected vulnerabilities, CVE-2025-68613, CVE-2026-21858, and CVE-2026-25049, identified among multiple issues affecting the recently emerging workflow automation tool n8n.



📌 About CVE-2025-68613


- This vulnerability is a RCE vulnerability caused by insufficient validation of expressions within n8n's expression evaluation system.


- The versions listed below are affected by this vulnerability.

  - 0.211.0 ≤ n8n < 1.120.4

  - 0.211.0 ≤ n8n < 1.121.1

  - 0.211.0 ≤ n8n < 1.122.0


- Root Cause

  - Insufficient validation of the ‘this’ binding within n8n's expression evaluation system allows ‘this’ to be bound to the global object. This enables an attacker to bypass the sandbox and execute arbitrary code.


- Attack Scenario

  - Through this vulnerability, an external threat actor who has obtained account access can bypass the sandbox and execute arbitrary code during n8n workflow execution.



📌 About CVE-2026-21858


- This vulnerability is an Arbitrary File Read vulnerability within the n8n Form Trigger node, where the absence of Content-Type header validation during file upload requests allows an attacker to read arbitrary files on the server.


- The versions listed below are affected by this vulnerability.

  - 1.65.0 ≤ n8n < 1.121.0


- Root Cause

  - This vulnerability within the n8n Form Trigger node is caused by a lack of Content-Type header validation during file upload requests.

  - Consequently, the threat actor's JSON data stored via parseBody() is fully trusted, and the file.filepath value is passed to the copyBinaryFile() function without validation, enabling an Arbitrary File Read of files on the server.


- Attack Scenario

  - This vulnerability allows threat actors to manipulate the filepath value of the files object via an application/json request, ultimately enabling the threat actors to read arbitrary files on the server.

  - By subsequently chaining this with the CVE-2025-68613 vulnerability, RCE becomes possible.



✅ Recommended Threat Detection and Mitigation Actions:


- For instances running a vulnerable version of n8n, it is recommended to update to the latest version.


- If updating is not possible, it is recommended to implement the following mitigation measures.


CVE-2025-68613

- Grant workflow creation and editing permissions only to trusted users.

- Deploy n8n in an environment with restricted operating system privileges and limited network access.


CVE-2026-21858

- Delete fields with Field Type: File among the Form Fields in the Form Trigger node.

- Restrict network access and strengthen authentication.




🧑‍💻 Author: S2W TALON


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request or with a subscription to the S2W platform.


News Highlights
Weekly Darkweb: February 2026, Week 1
2026.02.11
Previous
News Highlights
Weekly Darkweb: February 2026, Week 2
2026.02.18
Next
List