I got already for 3x an official letter from the German Office for Information Security, forwarded by Hetzner to me with the following content:
Dear Sir or Madam,
n8n is an open-source workflow automation platform.
Multiple Critical vulnerabilities in n8n can be exploited by remote
attackers to expose sensitive information or execute arbitrary code,
potentially resulting in a full system compromise.
All supported versions prior to 2.5.2 are affected.
Users should update n8n to a current version as soon as possible.
Additional information provided by the vendor:
CVE-2025-68613
CVE-2025-68668
< Arbitrary Command Execution in Pyodide based Python Code Node · Advisory · n8n-io/n8n · GitHub >
CVE-2026-21858
CVE-2026-21877
< RCE via Arbitrary File Write · Advisory · n8n-io/n8n · GitHub >
CVE-2026-25049
< Expression Escape Vulnerability Leading to RCE · Advisory · n8n-io/n8n · GitHub >
CVE-2026-25052
< Improper File Access Controls Allow Arbitrary File Read by Authenticated Users · Advisory · n8n-io/n8n · GitHub >
CVE-2026-25053
< OS Command Injection in Git Node · Advisory · n8n-io/n8n · GitHub >
Please find below a list of IP addresses of n8n systems on your networks
found to be running a version still affected by one or more of these
vulnerabilities. All timestamps are UTC.
We would like to ask you to take appropriate steps to secure affected systems
or notify your customers accordingly.
This message is digitally signed using PGP.
Information on the signature key is available at:
< BSI - CERT Bund Reports >
Please note:
This is an automatically generated message. Replies to the
sender address [email protected] will NOT be read
but silently be discarded. In case of questions, please contact
[email protected] and keep the ticket number [CB-Report#…]
of this message in the subject line.
According to my knowledge the statement is completely exaggerated that a remote attacker can exploit those vulnerabilities, since they require a logged in user to exploit any of those attacks. Would it be worthwhile to contact the office so that they are not spreading false and hyped up alarm? I for myself do not see any urgency to make an update, and it may cause some unnecessary insecurity in many other users that will read such a communication. Thought I will bring it to your attention.