The Pattern
n8n's workflow automation platform is facing its third critical security crisis in two months. Security firm Pillar Security disclosed two sandbox escape vulnerabilities on February 4 (CVE-2026-25049, CVSS 9.4) that bypass the patch shipped in December 2025 for CVE-2025-68613. Authenticated users with workflow permissions can now execute arbitrary commands on host systems.
The timing matters. This follows January's "ni8mare" vulnerability (CVE-2026-21858, CVSS 10.0), which allowed unauthenticated remote code execution and was actively exploited. Three maximum-severity flaws in eight weeks suggests a pattern, not an anomaly.
The Exposure
n8n powers hundreds of thousands of enterprise automation workflows globally, handling credentials for OpenAI, Anthropic, AWS, and other critical services. "If you can create a workflow in n8n, you can own the server," said Eilon Cohen from Pillar Security. The platform's role in AI pipelines makes compromised instances particularly valuable: attackers gain access to API keys, can modify AI interactions in real time, and maintain persistence while workflows continue functioning normally.
For n8n Cloud users, the multi-tenant architecture creates additional risk. A single malicious user could potentially access other customers' data through successful exploitation.
What This Means in Practice
Public exploits are available. Self-hosted and cloud instances remain vulnerable until patched to version 2.4.0 or later. The attack requires authentication, but workflow creation permissions are common in enterprise deployments.
The fix-bypass-fix cycle raises questions about sandbox architecture. December's patch clearly didn't address the underlying expression evaluation weaknesses. Organizations running n8n now face:
- Immediate patching requirements (again)
- Credential rotation across all connected services
- Workflow audits to identify suspicious modifications
- Architectural decisions about self-hosted versus managed deployments
History suggests n8n's maintainers will patch quickly. The real question is whether the next disclosure is weeks or months away. For CTOs evaluating automation platforms, three critical flaws in eight weeks is data worth considering.