Serial number: AV26-091
Date: February 5, 2026
On February 4, 2026, n8n published security updates to address critical vulnerabilities in the following products:
- n8n (Merge Node) – versions prior to 1.118.0 and versions prior to 2.4.0
- n8n (Git Node) – versions prior to 1.123.10 and versions prior to 2.5.0
- n8n (SSH Node) – versions prior to 1.123.12 and versions prior to 2.4.0
- n8n (Workflow UI) – versions prior to 1.23.9 and versions prior to 2.2.1
- n8n – versions prior to 1.123.17 and versions prior to 2.5.2
The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary update.
- Expression Escape Vulnerability Leading to RCE - (CVE-2025-68613) (CVE-2026-25049)
- Arbitrary File Write leading to RCE in n8n Merge Node
- OS Command Injection in Git Node
- Arbitrary File Write on Remote Systems via SSH Node
- Stored Cross-Site Scripting via Markdown Rendering in Workflow UI
- n8n Security