A high-severity vulnerability has been identified in the n8n workflow automation platform, designated CVE-2025-52478 with a CVSS score of 8.7. This flaw could allow an authenticated attacker to execute arbitrary code on the server, potentially leading to a complete compromise of the platform, theft of sensitive data, and disruption of critical business processes. Organizations are urged to apply vendor-supplied security patches immediately to mitigate the significant risk of system takeover and data breach.

The vulnerability is a remote code execution (RCE) flaw within the n8n platform's workflow processing engine. An authenticated attacker with low-level privileges, such as the ability to create or edit a workflow, can craft a malicious workflow with specially designed input parameters. When this workflow is executed, it improperly sanitizes the input, allowing the attacker to inject and execute arbitrary commands on the underlying server operating system with the privileges of the n8n service account.

This vulnerability is rated as High severity with a CVSS score of 8.7. Successful exploitation could have a severe impact on the business. Since workflow automation platforms like n8n often handle sensitive data, API keys, and credentials for various integrated services, an attacker could exfiltrate this information, leading to a wider data breach across multiple systems. Furthermore, an attacker could manipulate or disable critical business workflows, causing significant operational disruption. The ability to execute code on the server also presents a risk of lateral movement, allowing the attacker to establish a persistent foothold within the corporate network.

Immediate Action: Apply the vendor-provided security updates across all affected n8n instances immediately. After patching, it is crucial to monitor for any signs of post-patch exploitation attempts and thoroughly review historical access and execution logs for any indicators of compromise that may have occurred prior to remediation.

Proactive Monitoring: Implement enhanced monitoring on n8n servers. Look for suspicious child processes being spawned by the n8n service, unexpected outbound network connections to unknown IP addresses, and anomalies in workflow execution logs that indicate malicious command injection attempts. Use file integrity monitoring to detect unauthorized changes to platform files.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk. These include restricting network access to the n8n management interface to trusted IP ranges, placing the service behind a Web Application Firewall (WAF) with rules designed to block command injection patterns, and enforcing the principle of least privilege for all user accounts on the platform.

Public Exploit Available: false

Given the high severity score (CVSS 8.7) and the critical function of workflow automation platforms, we strongly recommend that organizations prioritize the immediate application of the security patch for CVE-2025-52478. Although the vulnerability is not currently listed on the CISA KEV catalog and there is no known active exploitation, the low complexity of the attack means that threat actors are likely to develop exploits quickly. A failure to patch could expose the organization to significant risks, including data exfiltration, service disruption, and unauthorized network access.