Skip to main content

n8n CVE-2025-71380

| EUVDEUVD-2025-210426 HIGH
Improper Access Control (CWE-284)
2026-07-04 VulnCheck GHSA-38pj-jv2x-mgcw
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable web UI (AV:N), trivial abuse of a documented node (AC:L), requires an authenticated editing user (PR:L), no scope change to other systems (S:U), full host CIA impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 04, 2026 - 02:26 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on n8n-nodes-base (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.113.0.

DescriptionCVE.org

The Execute Command node in n8n allows authenticated users to execute arbitrary commands on the host system where n8n runs. Attackers with user access or compromised credentials can exploit this node to run malicious commands, potentially leading to data exfiltration, service disruption, or complete system compromise.

AnalysisAI

Arbitrary command execution in the n8n workflow automation platform lets authenticated users abuse the built-in Execute Command node to run OS commands directly on the host running n8n. Any user with workflow-editing access or stolen credentials can leverage this by-design node to exfiltrate data, disrupt the service, or fully compromise the underlying host, and CWE-284 (Improper Access Control) reflects that command execution is not restricted to trusted operators. Reported by VulnCheck; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Technical ContextAI

n8n is a source-available workflow-automation/orchestration tool (fair-code licensed) commonly self-hosted to connect APIs and services. The Execute Command node is a native node that shells out to the underlying operating system, so any workflow that can include this node inherits the full privileges of the n8n process (frequently a container or service account with broad filesystem and network reach). The root cause is CWE-284 (Improper Access Control): the ability to invoke this powerful node is granted to ordinary authenticated users rather than being gated behind a stricter privilege or disabled by policy, turning intended functionality into a privilege-escalation-to-host primitive. The single CPE, cpe:2.3:a:n8n:n8n:*:*:*:*:*:*:*:*, indicates all versions are considered in scope absent an explicit fixed version.

RemediationAI

No vendor-released patch version was identified in the provided data, so review the n8n GitHub Security Advisory GHSA-365g-vjw2-grx8 (https://github.com/n8n-io/n8n/security/advisories/GHSA-365g-vjw2-grx8) and the VulnCheck advisory (https://www.vulncheck.com/advisories/n8n-arbitrary-command-execution-via-execute-command-node) for the fixed release and upgrade to it once available. As the primary compensating control, disable the Execute Command node entirely by setting the environment variable NODES_EXCLUDE to include '@n8n/n8n-nodes-base.executeCommand' (side effect: any legitimate workflows relying on shell execution will break and must be re-architected). Additionally, restrict who can create or edit workflows using n8n's RBAC/user-management so only fully trusted operators hold that privilege, enforce strong credential hygiene and MFA to reduce account-takeover risk, and run n8n as an unprivileged user inside a hardened, network-segmented container so that command execution cannot readily reach sensitive data or lateral targets (trade-off: tighter isolation and reduced node availability may limit automation flexibility).

More in N8n

View all
CVE-2026-21877 CRITICAL POC
9.9 Jan 08

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with

CVE-2026-21858 CRITICAL POC
10.0 Jan 08

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical

CVE-2026-1470 CRITICAL POC
9.9 Jan 27

n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft

CVE-2026-33660 CRITICAL POC
9.4 Mar 25

An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit

CVE-2026-33665 HIGH POC
8.8 Mar 25

Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP

CVE-2023-27563 HIGH POC
8.8 May 10

The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability

CVE-2026-0863 HIGH POC
8.5 Jan 18

Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox

CVE-2023-27564 HIGH POC
7.5 May 10

The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is

CVE-2023-27562 MEDIUM POC
6.5 May 10

The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2026-33724 MEDIUM POC
6.3 Mar 25

n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allow

CVE-2026-33720 MEDIUM POC
6.3 Mar 25

This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callbac

CVE-2026-27577 CRITICAL
9.9 Feb 25

Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path throu

Share

CVE-2025-71380 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy