A critical remote code execution vulnerability has been discovered in n8n, the open-source workflow automation platform, exposing over 103,000 potentially vulnerable instances worldwide.
Tracked as CVE-2025-68613 with a maximum CVSS severity score of 9.9. The vulnerability exists within n8nās workflow expression evaluation system.
The flaw allows authenticated attackers to execute arbitrary code with full process privileges, potentially leading to complete system compromise.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-68613 (CVSS 9.9) |
| Issue | Critical remote code execution flaw in n8n |
| What It Does | Authenticated attackers can run code and fully take over the system |
| Affected Product | n8n workflow automation platform |
| Affected Versions | Versions from 0.211.0 up to (but not including) 1.120.4, 1.121.1, and 1.122.0 |
Vulnerability Details
Under certain conditions, expressions entered by authenticated users are run without proper isolation, giving them access to the underlying system.
This design flaw enables attackers with legitimate access to bypass security boundaries and execute arbitrary code.Successful exploitation grants attackers unauthorized access to sensitive data stored within workflows.
The ability to modify workflow configurations and execute system-level operations. The impact extends beyond individual instances, particularly concerning organizations managing critical automation processes.
The vulnerability affects n8n versions starting from 0.211.0 through multiple release branches.
Patches have been released across three update tracks:
| Update Track | Patched Version |
|---|---|
| Track 1 | 1.120.4 |
| Track 2 | 1.121.1 |
| Track 3 | 1.122.0 |
The n8n security team strongly recommends upgrading to the latest patched versions. For organizations unable to update immediately, temporary mitigations include restricting workflow creation.
Editing permissions to trusted users only and deploying n8n in hardened environments with restricted operating system privileges and network access.
However, these workarounds do not eliminate risk and serve only as short-term measures.
Exploitation Status and Intelligence
As of December 19, 2025, the disclosure date, no active exploitation in the wild has been reported. However, SecureLayer7 has published a proof-of-concept exploitation guide, increasing the risk of future attacks.
Censys data reveals the massive scale of exposure, identifying 103,476 potentially vulnerable n8n instances across global networks, emphasizing the urgency of patching efforts.
Organizations utilizing n8n should prioritize immediate patching to the latest available versions. Security teams should audit workflow permissions, review recent workflow modifications, and monitor system logs for unauthorized activity.
Given the critical nature and broad exposure, treating this as a high-priority security incident is essential for protecting automation infrastructure and sensitive data.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
