A critical security flaw in n8n, a popular workflow automation platform, has been disclosed, putting thousands of organizations at serious risk. The vulnerability, tracked as CVE-2025-68613, has a CVSS score of 9.9, making it one of the most severe security issues reported this year. If exploited successfully, attackers could achieve arbitrary code execution, potentially taking full control of affected n8n instances.
This issue is especially concerning as it is widely used by developers, IT teams, and businesses to automate workflows, integrate systems, and handle sensitive data. According to npm statistics, the n8n package sees around 57,000 weekly downloads, highlighting its broad adoption across industries.
The vulnerability exists in how expressions provided by authenticated users are handled during workflow configuration. Under certain conditions, these expressions are evaluated in an execution environment that is not properly isolated from the underlying runtime.
In simple terms, this means that trusted-looking workflow inputs can escape their sandbox and interact directly with the system running n8n. This breaks a key security boundary and opens the door for serious abuse.
The workflow maintainers explained that an attacker who is already authenticated could exploit this behavior to execute arbitrary code with the same privileges as the n8n process. Once that happens, the entire automation platform can be compromised.
The impact of CVE-2025-68613 goes far beyond a minor misconfiguration. Successful exploitation can result in:
-
Full compromise of the n8n instance
-
Unauthorized access to sensitive data, including credentials and API tokens
-
Modification or sabotage of workflows
-
Execution of system-level commands
-
Potential lateral movement inside the network
Because n8n is often connected to databases, cloud services, SaaS platforms, and internal systems, attackers could use a compromised instance as a launchpad for broader attacks.
This is why the vulnerability has received a near-maximum CVSS score of 9.9.
According to the disclosure, the vulnerability affects:
-
All versions starting from 0.211.0
-
Up to, but not including, version 1.120.4
This means a large number of older and even relatively recent installations are at risk.
The issue has been fixed in the following versions:
-
n8n 1.120.4
-
n8n 1.121.1
-
n8n 1.122.0
Users running any earlier version are strongly advised to upgrade immediately.
The scale of exposure is significant. Data from the attack surface management platform Censys shows that as of December 22, 2025, there are over 103,000 potentially vulnerable n8n instances accessible online.
The majority of these exposed instances are located in:
-
United States
-
Germany
-
France
-
Brazil
-
Singapore
This global distribution means the vulnerability is not limited to a specific region or sector. Enterprises, startups, and individual developers could all be affected.
While the attack requires authentication, this does not eliminate the risk. Many real-world scenarios make exploitation possible, such as:
-
Compromised user credentials
-
Overly permissive user roles
-
Shared accounts
-
Insider threats
-
Weak access controls
Once an attacker gains access to workflow creation or editing features, they could weaponize this vulnerability to run malicious code, steal data, or disrupt operations.
Given the severity of this vulnerability, immediate action is critical.
The most effective mitigation is to upgrade n8n to one of the patched versions:
1.120.4
1.121.1
1.122.0
Delaying updates significantly increases the risk of compromise.
If immediate patching is not possible:
Limit workflow creation and editing rights to only trusted users
Review user roles and remove unnecessary privileges
To reduce the potential impact of exploitation:
Run n8n with restricted operating system privileges
Apply network segmentation
Prevent direct access to sensitive internal systems
Use container security best practices if running in Docker or Kubernetes
Watch for unusual workflow changes
Monitor logs for unexpected command execution
Set alerts for abnormal behavior within the n8n environment
Why This Matters for Security Leaders
For CISOs, DevOps teams, and security managers, this vulnerability is a clear reminder that automation platforms are high-value targets. Tools like n8n often have deep access to business-critical systems, making them attractive to attackers.
Ignoring or delaying patches for such platforms can expose organizations to data breaches, operational disruption, and compliance risks.
The disclosure of CVE-2025-68613 highlights a serious security gap in unpatched n8n deployments. With a CVSS score of 9.9, widespread exposure, and the potential for full system compromise, this vulnerability should be treated as a top priority.
Organizations using n8n should upgrade immediately, tighten access controls, and review their automation security posture. In today’s threat landscape, even trusted automation tools can become powerful attack vectors if left unpatched.
Interesting Article : HPE OneView Hit by CVE-2025-37164 With CVSS 10.0 Severity
Pingback: Severe MongoDB RCE Vulnerability Tracked as CVE-2025-14847