n8n, an open-source workflow automation tool, faced a significant security vulnerability known as CVE-2026-25049, with a CVSS score of 9.4. Discovered in February 2026, this flaw allowed attackers to execute arbitrary system commands on n8n servers. The vulnerability was especially alarming because it bypassed a security fix implemented only two months prior, which was designed to address a previous issue, CVE-2025-68613, involving expression injection due to inadequate sandboxing. The fix included three layers: TypeScript type enforcement, runtime string sanitization, and expression syntax validation. However, the reliance on TypeScript types proved to be a critical flaw. TypeScript types vanish at runtime, allowing non-string data types to bypass sanitization. An attacker could exploit this by sending an object instead of a string, effectively bypassing all security measures. Using JavaScript destructuring, they could execute malicious code that accessed the Node.js process and executed system commands without needing authentication or authorization, taking full advantage of n8n’s architecture. The exploit demonstrates a fundamental misunderstanding in the security architecture, where the assumption that all inputs would be strings allowed for a straightforward bypass of the security layers. The implications extend beyond n8n, serving as a cautionary tale for developers about the limitations of type enforcement and the importance of robust runtime validation.