n8n Node.js Package < 1.123.17 / 2.x < 2.5.2 Expression Escape Leading to RCE (CVE-2026-25049)

Version 1.2

Feb 17, 2026, 12:54 AM

CVSS metrics ("Cvssv4 threat score" set to 9.4)
CVSS metrics ("Cvssv4 threat vector" set to "CVSS:4.0/E:P")
CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C")
CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C")
Exploit attributes ("Exploit available" set to "True")
Exploit attributes ("Exploitability ease" set to "Exploits are available")