A critical vulnerability in a widely used workflow automation platform was disclosed Wednesday and could allow authenticated users to execute arbitrary system commands on the host. The flaw is tracked as CVE-2026-25049 and carries a CVSS score of 9.4
KEY FACTS
- Incident Expression evaluation flaw enables system command execution
- Identifier CVE-2026-25049, CVSS 9.4
- Affected versions versions prior to 1.123.17 and prior to 2.5.2
- Fix Patched in 1.123.17 and 2.5.2
- Researchers Acknowledged by multiple security researchers
The advisory said an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host
The bypass exploits a mismatch between TypeScript compile time checks and JavaScript runtime behavior that lets non string values evade sanitization checks technical deep-dive by Fatih Çelik
Successful exploitation can allow an attacker to compromise a server, steal credentials, exfiltrate data and install persistent backdoors. The risk increases if a public webhook is used because a crafted workflow payload can make remote code execution reachable from the internet
Vulnerable installations should upgrade to the patched releases where possible. If immediate patching is not feasible, administrators are advised to restrict workflow creation and editing to trusted users and to run the platform in a hardened environment with restricted operating system privileges and network access
WHY IT MATTERS
The flaw permits remote command execution through workflow expressions and therefore threatens server integrity, secret material and any connected cloud accounts. Patching and limiting workflow permissions reduce the likelihood of exploitation