What it is: A vulnerability in the Git node that allows execution of system commands or arbitrary file access.

Impact: Authenticated users with workflow permissions can execute commands on the n8n host or read sensitive files.

Fix: This issue was addressed in n8n versions 1.123.10 and 2.5.0. Users are strongly encouraged to upgrade to these or later releases to mitigate the vulnerability.

CVE: CVE-2026-25053
GHSA: GHSA-9g95-qf3f-ggrw
CVSS Score: 9.4 (Critical)

Note: n8n combined all the vulnerabilities discussed in this post into a single CVE (CVE-2026-25053) and GHSA advisory. This CVE covers the entire security hardening journey, including the Windows path separator bypass, TOCTOU vulnerabilities, config key injection, and other Git node security issues.