Multiple critical vulnerabilities have been disclosed in n8n, an open-source workflow automation platform, allowing authenticated users to execute arbitrary code on the server. These vulnerabilities, collectively identified as CVE-2026-25049, enable attackers to escape the platform's sandbox and gain complete control over the host machine. This could lead to the theft of sensitive information, including API keys and configuration files, and even allow access to internal systems and connected cloud accounts. The issues arise from a weak sanitization mechanism that fails to enforce type checks at runtime, leading to a type-confusion vulnerability. Researchers from Pillar Security demonstrated that exploiting this flaw requires minimal skills—any user capable of creating a workflow can potentially compromise the server. Despite a fix released shortly after the vulnerabilities were identified, further analysis revealed that the patch was incomplete, necessitating additional updates. n8n developers eventually released a comprehensive fix in version 2.4.0 on January 12, 2026. Security firms have also noted increased malicious activity targeting n8n, particularly related to another vulnerability called Ni8mare (CVE-2026-21858). GreyNoise reported over 33,000 requests aimed at exposed n8n endpoints within a week, indicating that attackers are probing for weaknesses. To mitigate risks, n8n users are advised to update to the latest versions and rotate encryption keys, while administrators can limit workflow permissions and deploy the platform in a more secure environment as a temporary measure.