Firewall Penetration Testing: Strengthen Your Network Security February 4, 2026 February 4, 2026 Authors: BugDazz AI Research Team Publication Date: February 04, 2026 Severity Rating: Critical (CVSS Score: 9.4) Vulnerability Status: Zero-day at time of discovery We discovered a critical vulnerability in n8n, a widely used workflow automation platform, that enables arbitrary command execution on the underlying server. The severity comes from how easily it can be exploited when combined with n8n’s public webhook feature, even without authentication. The attack requires minimal effort. An attacker creates a workflow with a publicly accessible webhook that has no authentication enabled. By adding a single line of JavaScript using destructuring syntax, the workflow can be abused to execute system-level commands. Once exposed, anyone on the internet can trigger the webhook and run commands remotely. The consequences are serious. Successful exploitation allows attackers to fully compromise the server, steal credentials, and exfiltrate sensitive data. It also creates opportunities for installing persistent backdoors, enabling long-term access without detection. Because n8n is often used for business-critical workflows, this vulnerability poses a significant risk to affected organizations. Table of Contents Toggle Executive Summary Before diving into exploitation mechanics and mitigation steps, it’s important to understand the basic profile of the vulnerability. Here is a brief snapshot: CVE ID: CVE-2026-25049 Severity: Critical (Remote Code Execution) Affected Versions: Versions prior to 1.123.17 and 2.5.2 Patched Versions: Versions 1.123.17 and 2.5.2 and later Attack Vector: Malicious JavaScript expression injection via workflow nodes, escalated through publicly exposed webhooks with no authentication Privileges Required: Low (authenticated workflow creation); None when combined with unauthenticated public webhooks User Interaction: None (exploitation can be triggered remotely via HTTP requests) Impact: Full remote code execution on the n8n server, leading to complete system compromise, credential theft, data exfiltration, and persistent backdoor installation Introduction Before diving into the vulnerability itself, it helps to understand what n8n is and why so many teams rely on it. At its core, n8n is an open-source workflow automation platform used by organizations worldwide to connect systems and automate everyday processes. Teams use it to integrate services like Slack, Google Sheets, Gmail, databases, webhooks, and AI tools, allowing data to move between systems and trigger actions without writing large amounts of custom code. n8n’s popularity comes from its flexibility and control. It is free, open source, and can be self-hosted, which means organizations keep ownership of their data. With over 1300 integrations available, n8n is often used to build internal tools and power business-critical workflows across teams. Why this vulnerability matters n8n often sits at the core of an organization’s automation and integration workflows. When a vulnerability affects this layer, the impact of a compromise is significantly amplified. Development teams widely use the platform to handle sensitive credentials such as API keys, database passwords, and OAuth tokens, giving it deep access to both internal and third-party services. In addition, n8n typically maintains network-level connectivity to internal systems, including databases, APIs, and core infrastructure running in live production environments. As a result, a compromise does not stop at the n8n instance itself. Once breached, attackers can pivot to connected services, tools, and APIs, dramatically expanding the attack surface and the potential blast radius. How We Detected This Vulnerability: The Journey So Far Our security team identified this vulnerability after more than four hours of intensive testing and over 150 failed attempts. This discovery was not immediate; it followed a long sequence of unsuccessful bypasses and detailed analysis. The investigation began with a previously patched n8n RCE and progressed through multiple failed exploitation paths. Eventually, this led to the discovery of a critical vulnerability that enables arbitrary code execution through a lesser-known and often overlooked JavaScript syntax pattern. Day 1: The Story Begins We were analyzing the CVE-2025-68613, a previous RCE vulnerability in n8n. This was patched in the version 1.120.4. The original exploit appeared like this: Here is how the fix was implemented: Added a “FunctionThisSanitizer” to bind ‘This’ to an empty object in regular functions This allowed to prevent access to `process.mainModule’ . Day 1: Evening (First Bypass) By the evening, our team noticed the sanitizer could only handle regular functions. It failed to handle arrow functions: ```javascript ={{(() => this.process)()}} Though this bypass worked, the result was limited. The response only exposed basic system m...