DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25115: Snake in the Grass: Breaking n8n's Python Sandbox via Symlink Voodoo

#security #cve #cybersecurity

Snake in the Grass: Breaking n8n's Python Sandbox via Symlink Voodoo

Vulnerability ID: CVE-2026-25115
CVSS Score: 9.4
Published: 2026-02-04

A critical sandbox escape vulnerability in the n8n workflow automation platform allows authenticated users to execute arbitrary code on the host system. The flaw resides in the file path canonicalization logic of the Python Code node, specifically handling non-existent files. By exploiting a fallback mechanism that relies on string manipulation rather than filesystem validation, attackers can traverse directories via symlinks, effectively breaking out of the intended security boundaries. This turns a low-privilege workflow editor into a full system administrator.

TL;DR

Critical RCE in n8n versions < 2.4.8. The Python Code node's path validation logic fails when handling files that don't exist yet, allowing attackers to use symlinks to write files outside the sandbox. This leads to full host compromise.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-693
  • Attack Vector: Network (Authenticated)
  • CVSS Score: 9.4 (Critical)
  • Impact: Remote Code Execution (RCE) / Sandbox Escape
  • Patch Commit: 5c69970acc7d37049deae67da861f92d2aaa9b03
  • Exploit Status: PoC Available (Theoretical)

Affected Systems

  • n8n (Self-hosted)
  • n8n (Cloud)
  • n8n (Docker)
  • n8n (npm package)
  • n8n: < 2.4.8 (Fixed in: 2.4.8)

Code Analysis

Commit: 5c69970

fix(core): Resolve path properly when file does not exist

@@ -12,7 +12,9 @@
     } catch (error: unknown) {
         if (error instanceof Error && 'code' in error && error.code === 'ENOENT') {
-            return resolve(path.toString()) as ResolvedFilePath;
+            const pathStr = path.toString();
+            const dir = dirname(pathStr);
+            const resolvedDir = await fsRealpath(dir);
+            return join(resolvedDir, basename(pathStr)) as ResolvedFilePath;
         }
         throw error;
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Theoretical: Standard symlink traversal via python os.symlink and open()

Mitigation Strategies

  • Upgrade n8n to version 2.4.8 or later immediately.
  • Disable Python Code nodes via environment variables if patching is not feasible.
  • Run n8n in a strictly isolated container with minimal privileges and read-only root filesystems where possible.
  • Audit existing workflows for suspicious Python snippets using os.symlink.

Remediation Steps:

  1. Pull the latest docker image: docker pull n8nio/n8n:latest
  2. Restart the n8n container/service.
  3. Verify version in the bottom-left corner of the dashboard shows 2.4.8+.
  4. Check the execution_entity logs for any historical ENOENT errors that look suspicious.

References

Read the full report for CVE-2026-25115 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)