A critical remote code execution (RCE) vulnerability in n8n, the popular workflow automation platform. This flaw allows authenticated attackers to execute arbitrary system commands on the host server by leveraging weaponized workflows.
The vulnerability represents a significant regression and expansion of the previously identified CVE-2025-68613, highlighting persistent risks in the platform’s expression evaluation engine.
The core issue resides in how n8n processes dynamic expressions within workflow nodes. Under normal operations, n8n allows users to use expressions to manipulate data between steps.
However, an authenticated user with permissions to create or modify workflows can inject malicious payloads into these parameters. By crafting specific expressions that bypass input sanitization, an attacker can escape the intended sandbox and invoke system-level commands.
This exploitation vector is particularly dangerous for self-hosted instances running in default configurations with broad permissions. Once the weaponized workflow is activated either manually or via a trigger, the injected code executes with the privileges of the n8n process.
Successful exploitation could lead to:
- Full compromise of the host server.
- Lateral movement into connected internal networks.
- Exfiltration of sensitive API keys and credentials stored within n8n credentials management.
The n8n maintainers have released emergency patches to address this flaw. The vulnerability is resolved in the following versions:
Organizations running older versions are urged to upgrade immediately. The patch introduces stricter validation for expression evaluation, preventing the interpretation of shell commands within workflow parameters.
If an immediate upgrade is operationally unfeasible, administrators must apply defense-in-depth strategies to reduce the attack surface. These workarounds do not fully eliminate the risk but raise the barrier for exploitation:
Security teams are advised to scan their environments for outdated n8n instances and monitor logs for unusual process spawning originating from the n8n service daemon.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
