A crucial distant code execution vulnerability has been found in n8n, the open-source workflow automation platform, exposing over 103,000 probably weak situations worldwide.
Tracked as CVE-2025-68613 with a most CVSS severity rating of 9.9. The vulnerability exists inside n8n’s workflow expression analysis system.
The flaw permits authenticated attackers to execute arbitrary code with full course of privileges, probably main to finish system compromise.
FieldDetailsCVE IDCVE-2025-68613 (CVSS 9.9)IssueCritical distant code execution flaw in n8nWhat It DoesAuthenticated attackers can run code and absolutely take over the systemAffected Productn8n workflow automation platformAffected VersionsVersions from 0.211.0 as much as (however not together with) 1.120.4, 1.121.1, and 1.122.0
Vulnerability Particulars
Underneath sure circumstances, expressions entered by authenticated customers are run with out correct isolation, giving them entry to the underlying system.
This design flaw allows attackers with authentic entry to bypass safety boundaries and execute arbitrary code. Profitable exploitation grants attackers unauthorized entry to delicate knowledge saved inside workflows.
The flexibility to switch workflow configurations and execute system-level operations. The impression extends past particular person situations, significantly regarding organizations managing crucial automation processes.
The vulnerability impacts n8n variations ranging from 0.211.0 by means of a number of launch branches.
Patches have been launched throughout three replace tracks:
Replace TrackPatched VersionTrack 11.120.4Track 21.121.1Track 31.122.0
The n8n safety staff strongly recommends upgrading to the newest patched variations. For organizations unable to replace instantly, short-term mitigations embody proscribing workflow creation.
Enhancing permissions to trusted customers solely and deploying n8n in hardened environments with restricted working system privileges and community entry.
Nonetheless, these workarounds don’t remove threat and serve solely as short-term measures.
Exploitation Standing and Intelligence
As of December 19, 2025, the disclosure date, no lively exploitation within the wild has been reported. Nonetheless, SecureLayer7 has revealed a proof-of-concept exploitation information, growing the chance of future assaults.
Censys knowledge reveals the huge scale of publicity, figuring out 103,476 probably weak n8n situations throughout international networks, emphasizing the urgency of patching efforts.
Organizations using n8n ought to prioritize instant patching to the newest out there variations. Safety groups ought to audit workflow permissions, assessment current workflow modifications, and monitor system logs for unauthorized exercise.
Given the crucial nature and broad publicity, treating this as a high-priority safety incident is crucial for shielding automation infrastructure and delicate knowledge.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
