High

n8n SSH Node Path Traversal to Arbitrary File Write

IdentifiersCVE-2026-25055CWE-22· Improper Limitation of a Pathname…

CVE-2026-25055 is a critical path traversal vulnerability in n8n affecting versions prior to 1.123.12 and 2.4.0. The issue occurs when workflows accept uploaded files, such as via unauthenticated webhook/file-upload endpoints, and then transfer those files to remote systems using the SSH node without validating file metadata. An attacker can supply traversal sequences such as ../ in metadata so that the SSH transfer writes the file to an unintended path on the remote SSH-accessible system rather than the expected destination. This creates an arbitrary file write primitive on the remote target and can be escalated to remote code execution depending on where files can be written, such as authorized_keys, cron.d, or systemd service locations.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to cause files handled by n8n workflows to be written to arbitrary locations on remote systems reachable through the vulnerable SSH node workflow. This can result in unauthorized modification of sensitive files on those remote hosts and may lead to remote code execution, for example by planting SSH authorized keys, cron jobs, or service definitions. The impact is therefore not limited to the n8n instance itself; it can extend to compromise of downstream remote systems that n8n is configured to access over SSH.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable or strictly restrict workflows that accept file uploads and forward them via the SSH node. Require authentication on all webhook or other upload endpoints that can feed such workflows, especially any internet-exposed endpoints. Limit which users can create or modify these workflows, reduce the privileges of SSH accounts used by n8n, and constrain writable paths on remote systems where possible. Review and rotate SSH credentials if there is any indication the vulnerability may have been exploited. These measures reduce exposure but do not fully remediate the flaw.

Remediation

Patch, then assume compromise.

Upgrade n8n to a fixed version: 1.123.12 or later on the 1.x branch, or 2.4.0 or later on the 2.x branch. Review workflows that process uploaded files and send them through the SSH node to ensure file metadata and destination paths are properly constrained. If compromise is suspected, inspect remote systems accessible via n8n SSH workflows for unauthorized file writes and rotate any SSH credentials used by affected workflows.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

N8nN8napplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

nuclei templates pull requestsNews

Feb 8, 2026

CVE-2026-25055: n8n SSH Node Path Traversal to Arbitrary File Write by hevnsnt · Pull Request #15247 · projectdiscovery/nuclei-templates · GitHub

A critical path traversal issue in n8n where unvalidated uploaded-file metadata passed from the Webhook node to the SSH node can allow ../ sequences to write files to arbitrary paths on remote SSH targets, potentially enabling RCE by writing to locations like authorized_keys, cron.d, or systemd service files.

the hacker newsNews

Feb 5, 2026

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

Path traversal in n8n workflows involving SSH node file transfers allowing writes to unintended locations on remote systems, potentially leading to RCE on those remote systems.

the hacker newsNews

Feb 5, 2026

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

Path traversal in n8n SSH node file-transfer handling allowing writes to unintended locations on remote systems, potentially enabling RCE on those remote targets.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4