Critical Remote Code Execution Vulnerabilities in n8n Workflow Automation Platform
A critical vulnerability, CVE-2025-68613, has been discovered in the n8n open-source workflow automation platform, allowing authenticated users with workflow creation or editing permissions to execute arbitrary system commands on the underlying server. This flaw, rated 9.9 on the CVSS scale, stems from improper sandboxing of JavaScript expressions within workflow definitions, enabling attackers to escape restrictions and gain system-level access. The vulnerability does not require administrative privileges, making it a significant risk in environments with multiple users or weak access controls, and could lead to full system compromise, data exfiltration, workflow sabotage, and lateral movement.
Another related vulnerability, CVE-2025-68668, also enables sandbox escape in n8n, turning workflows into potential attack vectors. Both vulnerabilities highlight the urgent need for organizations using n8n to review user permissions, apply available patches, and implement strong access controls to mitigate the risk of exploitation. While there is no current evidence of active exploitation, the ease of attack and the platform's popularity make immediate remediation essential.
Timeline
Jan 7, 2026
n8n releases patched versions and urges immediate upgrades
n8n released fixes for the vulnerability in patched versions including 1.120.4, 1.121.1, 1.121.3, and 1.122.0, depending on the affected branch referenced by reporting. Users were urged to upgrade immediately and apply temporary mitigations such as restricting permissions and disabling risky functionality where applicable.
Jan 6, 2026
Technical analyses and proof-of-concept details are published
Security reporting and research published technical details describing how n8n workflows could be weaponized through the sandbox-escape flaw, including proof-of-concept payloads and exploitation mechanics. These disclosures increased the likelihood of real-world exploitation by making the issue easier to reproduce.
Jan 6, 2026
Critical n8n sandbox-escape/RCE vulnerability is disclosed
A critical vulnerability in the n8n workflow automation platform was publicly disclosed in early January 2026, allowing authenticated users with workflow-related permissions to escape the sandbox and execute arbitrary code or system commands. The flaw affects self-hosted and cloud environments and could enable full system compromise, data access, and workflow manipulation.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Critical Remote Code Execution Vulnerability in n8n Workflow Automation Platform
A critical remote code execution vulnerability, tracked as CVE-2026-21877, has been identified in the n8n workflow automation platform. The flaw, rated CVSS 10.0, allows authenticated users to execute arbitrary code on affected n8n instances, posing a significant risk to environments where n8n is used to automate workflows with access to sensitive data, internal systems, and credentials. The vulnerability impacts n8n versions from 0.123.0 up to but not including 1.121.3, affecting both self-hosted and managed deployments. Exploitation requires authenticated access, and the vulnerability is linked to unsafe handling that can result in the execution of untrusted code. The issue has been addressed in n8n version 1.121.3 and later, and users are strongly advised to upgrade immediately to mitigate the risk. Additional recommendations include restricting workflow modification access to trusted administrators, blocking high-risk nodes at runtime, and reviewing audit logs for suspicious activity prior to patching. No public exploit details or proof-of-concept have been released as of the latest advisories. Organizations using n8n should prioritize patching and implement hardening measures to prevent potential compromise of their automation infrastructure.
1 months agoCritical Remote Code Execution Vulnerability in n8n Workflow Automation Platform
A critical vulnerability, tracked as CVE-2025-68613, was discovered in the n8n workflow automation platform, allowing authenticated users to execute arbitrary code on affected instances. The flaw, which impacts versions 0.211.0 up to but not including 1.120.4, arises from insufficient isolation of user-supplied expressions during workflow configuration, potentially leading to full system compromise, unauthorized data access, and modification of workflows. The vulnerability has a CVSS score of 9.9, and over 100,000 potentially exposed instances have been identified globally, with the highest concentrations in the U.S., Germany, France, Brazil, and Singapore. Security advisories urge immediate patching to versions 1.120.4, 1.121.1, or 1.122.0 to mitigate the risk. For organizations unable to patch immediately, it is recommended to restrict workflow creation and editing permissions to trusted users and to deploy n8n in a hardened environment with limited operating system privileges and network access. The Canadian Centre for Cyber Security and other authorities have issued alerts emphasizing the criticality of this vulnerability and the urgent need for remediation.
1 months ago
Critical n8n Workflow Automation Platform Vulnerabilities Enable Remote Code Execution
Multiple critical vulnerabilities have been disclosed in the open-source workflow automation platform n8n, exposing both self-hosted and cloud deployments to severe security risks. The most severe flaw, tracked as CVE-2026-21877, allows authenticated attackers to execute arbitrary code on affected instances, potentially granting full control over the system. This vulnerability impacts a wide range of n8n installations, and while patches have been released, unpatched systems remain at risk. Another critical flaw, CVE-2026-21858, has also been highlighted, with reports indicating that over 100,000 servers could be exposed due to the public release of exploit code. Security researchers have emphasized the urgency of applying available patches to mitigate these threats, as the public availability of exploits significantly increases the likelihood of widespread attacks. Organizations using n8n are strongly advised to update their deployments immediately and review their exposure, especially if instances are accessible from the internet. The vulnerabilities underscore the importance of timely patch management and monitoring for signs of compromise in automation and integration platforms.
1 months ago