CVE-2025-71380: Authenticated Remote Code Execution in n8n via Execute Command Node
CVE-2025-71380 is an improper access control vulnerability (CWE-284) in n8n versions up to and including 1.114.4 that allows authenticated users to execute arbitrary commands on the underlying host system where n8n runs, potentially leading to data exfiltration, service disruption, or complete system compromise.
CVE-2025-71380 describes a high-severity improper access control vulnerability (CWE-284) affecting n8n, an open-source workflow automation platform, specifically in versions up to and including 1.114.4. The vulnerability resides within the "Execute Command" node, a feature intended to allow workflows to run system commands. However, due to insufficient restrictions, any authenticated user can leverage this node to execute arbitrary commands on the host system where the n8n instance is running. This flaw grants attackers with existing user access or compromised credentials the ability to achieve remote code execution, which can lead to severe consequences, including full system compromise, sensitive data exfiltration, or denial of service through service disruption. The discovery and disclosure of this vulnerability underscore the critical importance of proper access controls in internal application functionalities.
Attack Chain
- An attacker obtains valid credentials for an n8n user account through various means, such as phishing, credential stuffing, or exploiting another vulnerability.
- The attacker logs into the compromised n8n instance using the legitimate, but compromised, user account.
- The attacker creates a new n8n workflow or modifies an existing one to include the "Execute Command" node.
- Within the "Execute Command" node's configuration, the attacker specifies malicious commands to be executed on the host operating system.
- The attacker then triggers the crafted workflow, either manually from the n8n interface or by configuring a scheduled or event-driven trigger.
- Upon execution, the n8n application, running on the host system, spawns child processes to execute the arbitrary commands provided by the attacker.
- These malicious commands then perform actions such as establishing persistence, escalating privileges, exfiltrating sensitive data, or deploying additional malware.
- The attacker achieves their final objective, which could be full system compromise, data theft, or disruption of services.
Impact
The successful exploitation of CVE-2025-71380 allows authenticated attackers to gain remote code execution on the underlying host system, regardless of the operating system (Windows, Linux, macOS). This can lead to a complete compromise of the n8n server and any data or systems it has access to. Potential impacts include unauthorized access to sensitive data stored on or accessible by the n8n instance, disruption of critical business processes automated by n8n, deployment of ransomware or other malicious payloads, and lateral movement within the compromised network. While no specific victim count is available, any organization utilizing vulnerable n8n versions with reachable administrative interfaces is at risk.
Recommendation
- Immediately update n8n to a patched version beyond 1.114.4 to remediate CVE-2025-71380 as per the official advisories in the references.
- Implement strict network segmentation for n8n instances, limiting access to trusted internal networks and specific administrative users.
- Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect unusual command execution by the n8n process.
- Ensure robust credential hygiene for all n8n user accounts, enforcing strong, unique passwords and multi-factor authentication.
Detection coverage 2
CVE-2025-71380: Suspicious Child Process by n8n (Windows)
highDetects CVE-2025-71380 exploitation — n8n application spawning suspicious shell or scripting interpreter processes on Windows, indicative of arbitrary command execution.
CVE-2025-71380: Suspicious Child Process by n8n (Linux)
highDetects CVE-2025-71380 exploitation — n8n application spawning suspicious shell or scripting interpreter processes on Linux, indicative of arbitrary command execution.
Detection queries are available on the platform. Get full rules →