Introduction
Attackers can execute arbitrary code on n8n servers by abusing a workflow automation feature that interacts with git repositories. This vulnerability has direct implications for the security of credentials, workflow logic, and any third-party integrations managed by n8n. Organizations using n8n for process automation in cloud or self-hosted environments should review their deployment immediately.
n8n is an open source workflow automation platform with over 400 integrations and a rapidly growing user base. It is widely adopted by technical teams for automating business processes, data flows, and integrations with cloud and SaaS services. The platform supports both managed (cloud) and self-hosted deployments, making it relevant for a broad range of organizations.
Technical Information
CVE-2025-62726 is a remote code execution vulnerability in the Git Node component of n8n. The Git Node allows users to perform git operations such as clone, commit, and push as part of workflow automations. The vulnerability arises when a user clones a remote repository that contains a malicious pre-commit hook in its .git/hooks directory. If the workflow subsequently performs a commit operation using the Git Node, the malicious pre-commit hook is executed with the privileges of the n8n process.
The root cause is insufficient isolation of git hook execution within the n8n environment. When cloning a repository, all files including hooks are copied. During a commit, git automatically executes any present pre-commit hook. In the context of n8n, this means attacker-controlled code can run inside the workflow automation environment, potentially accessing credentials, modifying workflows, or interacting with integrated systems. The vulnerability is classified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).
No public code snippets are available for this vulnerability, but the issue is confirmed and addressed in n8n version 1.113.0.
Affected Systems and Versions
- Product: n8n (workflow automation platform)
- Affected component: Git Node
- Deployment models: Cloud and Self-Hosted
- Version range: All versions prior to 1.113.0
- Fixed in: 1.113.0 and later
Vendor Security History
n8n has previously disclosed vulnerabilities in several core components:
- Stored XSS in Form Trigger node (GHSA-hfmv-hhh3-43f2)
- Improper authorization in workflow execution stop endpoint (GHSA-gq57-v332-7666)
- Arbitrary command execution in Execute Command node (GHSA-365g-vjw2-grx8)
- Symlink traversal in Read/Write File node (GHSA-ggjm-f3g4-rwmm)
The vendor maintains a public security advisory page and has demonstrated reasonable patch response times. However, the frequency and diversity of vulnerabilities indicate a need for more robust security testing and architectural improvements.
