CVE-2025-71380: n8n - Arbitrary Command Execution via Execute Command Node
The Execute Command node in n8n allows authenticated users to execute arbitrary commands on the host system where n8n runs. Attackers with user access or compromised credentials can exploit this node to run malicious commands, potentially leading to data exfiltration, service disruption, or complete system compromise.
Security readout for executives and security teams
Plain-English summary
An authenticated n8n user may be able to run arbitrary commands on the server hosting n8n through the Execute Command node. If abused, this can expose data, disrupt service, or compromise the host.
Executive priority
Treat this as high priority where n8n is internet-accessible or broadly available internally. The business risk is host compromise from a valid or stolen account, not unauthenticated mass exploitation based on current evidence.
Technical view
The issue is described as arbitrary host command execution through n8n's Execute Command node by authenticated users. CVSS 8.8 reflects network reachability, low attack complexity, low privileges required, no user interaction, and high confidentiality, integrity, and availability impact.
Likely exposure
Organizations running n8n where users or compromised credentials can create or run workflows using the Execute Command node. The provided affected-version data is limited and internally unclear, so confirm exposure against vendor guidance.
Exploitation context
The source bundle does not provide evidence of active exploitation, and KEV status is false. Abuse requires authenticated access or compromised credentials with sufficient n8n capability to use the relevant node.
Researcher notes
The bundle names n8n Execute Command node behavior and CWE-284, but does not include detailed patch, version-range, or exploit telemetry evidence. Avoid assuming affected versions beyond the advisory data and validate against primary vendor sources.
Mitigation direction
Review the GitHub advisory and n8n guidance for supported fixes or configuration controls.
Restrict n8n access to trusted users and enforce strong authentication.
Audit and remove unnecessary users, tokens, and workflow permissions.
Disable or tightly control Execute Command node use where operationally possible.
Run n8n with least-privilege host permissions and isolate sensitive data.
Validation and detection
Inventory all n8n instances, including self-hosted and development deployments.
Check whether authenticated users can create or run Execute Command workflows.
Review workflow history for unexpected command-node usage.
Review n8n user accounts for stale, excessive, or compromised access.
Confirm product version and configuration against vendor advisory details.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-284: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
3Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-284 · source CWE mapping
Improper Access Control
Improper Access Control represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.