In December 2025, n8n patched CVE-2025-68613 (CVSS 9.9) — a critical expression sandbox escape that allowed remote code execution through crafted workflow expressions. Three months later, CVE-2026-25049 (CVSS 9.4) bypasses that fix entirely, re-enabling system command execution via the same expression evaluation subsystem.
When a critical patch gets bypassed in 90 days, the question shifts from “was it patched correctly?” to “can this architecture be patched at all?”
The Bypass
CVE-2025-68613 was a severe vulnerability in n8n’s expression evaluation engine. Workflow expressions — the template syntax users embed in node configurations — were evaluated through a JavaScript sandbox that could be escaped to execute arbitrary system commands on the host server. n8n patched it in December 2025.
CVE-2026-25049 demonstrates that the patch addressed a specific exploitation technique but not the underlying architectural weakness. Researchers found a new path through the same expression evaluation engine to achieve the same result: arbitrary code execution on the n8n server via crafted workflow expressions. The CVSS score dropped from 9.9 to 9.4 — still critical, still remote code execution, still through the same subsystem.
This is the defining characteristic of an architectural vulnerability. The attack surface is not a single code path that can be closed — it is the design decision to evaluate user-supplied expressions through a JavaScript runtime in the first place.
February 2026: 21+ CVEs and Counting
CVE-2026-25049 did not arrive in isolation. February 2026 has produced a cascade of n8n security disclosures that, taken together, represent a systemic failure:
| CVE | CVSS | Description |
|---|---|---|
| CVE-2026-21858 “Ni8mare” | 10.0 | Unauthenticated RCE via webhook Content-Type confusion — ~100,000 exposed instances |
| CVE-2026-27577 | 9.4 | Expression sandbox escape — system commands via manipulated parameters |
| CVE-2026-27497 | 9.4 | SQL query mode RCE — arbitrary code execution on the n8n server |
| CVE-2026-27495 | 9.4 | JavaScript task runner sandbox breakout — arbitrary code execution |
| CVE-2026-25049 | 9.4 | Expression injection bypass — circumvents December 2025 fix |
| CVE-2026-1470 | High | Additional RCE vector |
| CVE-2026-0863 | High | Python sandbox escape |
Beyond these headline vulnerabilities, the February disclosures include stored XSS, SSO authentication bypass, SQL injection across MySQL/PostgreSQL/MSSQL connectors, unauthenticated form evaluation, and webhook forgery.
The severity prompted formal advisories from Singapore’s Cyber Security Agency (CSA) and the Canadian Centre for Cyber Security (CCCS) — the same agencies that issue warnings for critical infrastructure threats.
When Patches Get Bypassed, the Problem Is the Architecture
The CVE-2026-25049 bypass illustrates a principle that security engineers understand well: when a fix for a CVSS 9.9 vulnerability is circumvented within 3 months by a CVSS 9.4 variant targeting the same subsystem, the problem is not insufficient patching. The problem is that the subsystem’s design permits unsafe code execution paths that cannot be comprehensively eliminated through point fixes.
n8n’s February 2026 disclosures reinforce this conclusion from multiple angles. Consider the four independent RCE vectors discovered this month:
- Expression evaluation — JavaScript sandbox escape (CVE-2026-27577, CVE-2026-25049)
- SQL query mode — Arbitrary code execution via SQL engine (CVE-2026-27497)
- JavaScript task runner — Sandbox breakout (CVE-2026-27495)
- Webhook handling — Unauthenticated RCE via Content-Type confusion (CVE-2026-21858)
These are four separate subsystems — expression parser, SQL engine, task runner, HTTP handler — all exhibiting the same class of vulnerability: uncontrolled code execution from user-supplied input. Patching one subsystem does not protect the others. An attacker needs to find only one viable path, and February proved there are at least four.
JieGou’s Approach: Eliminate the Attack Surface
JieGou’s architecture eliminates the vulnerability classes that produced n8n’s 21+ CVEs by design, not by patching:
- Managed SaaS — No self-hosted instances to patch, no exposed webhook endpoints to exploit. Zero operator burden for security updates.
- Docker sandboxing + V8 isolates — Code execution in CodingAgentStep runs inside Docker containers with V8 isolates, providing process-level and runtime-level isolation. There is no shared JavaScript sandbox to escape from.
- No expression-based code evaluation — Workflow definitions use structured templates and typed step configurations. There is no expression evaluation engine that interprets user input as executable code.
- 13,320+ automated tests, 99.1% line coverage — Continuous validation across the entire codebase, including security-sensitive paths.
- SOC 2 evidence ready — 17 compliance policies mapped with technical controls. Audit logging across 30 action types with immutable records.
- Hybrid deployment — For organizations requiring data residency, VPC-based execution with a managed control plane keeps sensitive data in your network without the self-hosted patching burden.
Migration Path
JieGou’s n8n import tool converts n8n workflow JSON exports automatically, with 50+ node type mappings and a security assessment that identifies vulnerable patterns in your existing workflows — including expression injection nodes, SQL query nodes, and webhook triggers mapped to February’s CVEs.
- Export your n8n workflows (Settings > Export All Workflows)
- Upload the JSON to JieGou’s import wizard
- Review the automated conversion and security assessment
- Deploy on managed infrastructure with zero patching overhead
The security assessment flags nodes in your workflows that correspond to known CVE attack surfaces, so you can prioritize the most critical migrations.
- Import your n8n workflows — automated import with 50+ node mappings and security assessment
- Read the migration guide — step-by-step technical walkthrough
- Compare JieGou vs. n8n — full feature and security comparison