n8n Vulnerabilities: When Automation Workflows Become Exploitable

In our previous blog, we learned n8n and its fundamentals. Understanding how this powerful workflow automation tool helps teams connect applications and automate tasks. (n8n)

Recently, n8n vulnerabilities have been gaining attention, with multiple CVEs (Common Vulnerabilities and Exposures) being published that highlight critical security concerns. These discoveries are important not just for n8n users, but for anyone working with workflow automation platforms or building integrations in their infrastructure.

Today, we’ll see n8n vulnerabilities that have been disclosed recently. I’ve selected these particular CVEs because I found them really interesting and that could impact how you deploy and secure similar tools.

Whether you’re a security professional, a DevOps engineer, an n8n user, a pen tester or a keen learner, understanding these vulnerabilities will help you better protect your workflows and data.

CVE-2025–68613: Expression Injection Leading to Arbitrary Code Execution

CVE ID: CVE-2025–68613  Severity: Critical  CVSS Score: 9.9 out of 10.0  Vulnerability Type: Expression Injection / Remote Code Execution  Affected Versions: n8n versions 0.211.0 through 1.120.3  Patched Versions: 1.120.4, 1.121.1, and 1.122.0  Discovered By: Fatih Çelik

What is the Vulnerability?

This flaw allows authenticated attackers to execute arbitrary code on the n8n server by exploiting insufficient isolation in the expression evaluation engine used during workflow configuration.

n8n uses a JavaScript-based expression engine that allows users to perform dynamic data manipulation using the {{ ... }} syntax. Normally, this engine is supposed to be restricted to basic math or string operations.

However, in vulnerable versions (0.211.0 to 1.120.3), the sandbox wasn’t airtight. An attacker can use specific JavaScript objects, specifically this.process,to reach into the Node.js runtime. From there, they can call the require() function to load powerful system modules like child_process or fs (file system), which are normally off-limits to users.

Why This is Critical

This vulnerability scores 9.9 out of 10.0 on the CVSS scale for several reasons:

1. Full System Compromise: Successful exploitation leads to complete control over the n8n instance

2. Data Exfiltration: Attackers gain unauthorized access to all sensitive data processed by workflows

3. Lateral Movement: The compromised server can be used as a pivot point to attack other systems

4. Persistence: Attackers can modify workflows to maintain long-term access

5. Wide Attack Surface: With 103,476 potentially vulnerable instances detected globally (as of December 22, 2025), the impact is significant

The Exploit Workflow

To pull this off, an attacker doesn’t need to be an admin. Any authenticated user with permission to create or edit a workflow can trigger it.

1. Access: The attacker logs into a vulnerable n8n instance.

2. Creation: They create a new workflow and add a common node, like a Set node or a Code node.

3. Injection: In one of the fields that accepts expressions, they inject a malicious payload designed to “escape” the sandbox.

4. Execution: They click “Execute Workflow.” n8n’s server-side engine evaluates the expression, realizes it’s valid JavaScript, and executes it directly on the host operating system.

Security Measures

1. Update Immediately to one of the patched versions, version 1.120.4, Version 1.121.1, Version 1.122.0 or later.

2. Check recent workflow creations and modifications. Identify any unauthorized or suspicious changes.

3. Monitor system calls made by n8n process

4. Place n8n in a segmented network with strict egress filtering

CVE-2025–68668: Python Code Node Sandbox Bypass Leading to Arbitrary Command Execution

CVE ID: CVE-2025–68668 Severity: Critical CVSS Score: 9.9 out of 10.0 Vulnerability Type: Protection Mechanism Failure / Sandbox Bypass Affected Versions: n8n versions 1.0.0 through 1.999.x (before 2.0.0) Patched Versions: 2.0.0 and later Discovered By: Vladimir Tokarev and Ofek Itach (Cyera Research Labs) Codename: N8scape

What is the Vulnerability?

This critical flaw allows authenticated attackers to bypass security protections in n8n’s Python Code Node and execute arbitrary operating system commands on the host server. The vulnerability exploits weaknesses in the Pyodide-based Python execution sandbox.

The Python Code Node in n8n is designed to allow users to write custom Python code for data processing and automation tasks within workflows. To prevent security risks, this code is supposed to run in an isolated sandbox environment powered by Pyodide (a Python runtime for WebAssembly). This sandbox should restrict access to the underlying operating system.

However, in versions 1.0.0 through 1.999.x, the Pyodide sandbox implementation contains flaws that allow an attacker to “escape” the restricted environment. Once outside the sandbox, they can execute system-level commands with the same privileges as the n8n process itself, potentially gaining full control over the server.

Why This is Critical

This vulnerability scores 9.9 out of 10.0 on the CVSS scale for several reasons:

1. Complete System Access: Attackers can execute any operating system command with n8n process privileges, leading to full host compromise

2. Data Breach Risk: Access to all sensitive data processed by n8n workflows, including API keys, database credentials, and business-critical information

3. Privilege Escalation Potential: The n8n process may run with elevated privileges, giving attackers significant system access

4. Persistence Mechanisms: Attackers can modify workflows to maintain backdoor access even after initial detection

5. Low Barrier to Entry: Any authenticated user with workflow creation/modification permissions can exploit this, not just administrators.

The Exploit Workflow

The attack can be executed by any authenticated user with workflow creation or modification privileges:

1. Authentication: The attacker logs into a vulnerable n8n instance with valid credentials

2. Workflow Creation: They create a new workflow or edit an existing one with permission to do so

3. Python Code Node Insertion: They add a Python Code Node to the workflow, which appears as a legitimate automation component

4. Malicious Payload Injection: Within the Python Code Node, they craft a payload designed to exploit weaknesses in the Pyodide sandbox, breaking out of the restricted environment

5. Execution Trigger: The attacker executes the workflow, either manually or by setting up an automated trigger

6. Sandbox Escape: The n8n server processes the Python code, and the malicious payload successfully bypasses the Pyodide sandbox protections

7. Command Execution: The attacker’s arbitrary operating system commands execute on the host with n8n process privileges, granting them control over the server.

Security Measures

1. Update to Version 2.0.0 or later. Version 2.0.0 implements a task runner-based native Python implementation with improved security isolation as the default configuration.

2. Examine all workflows containing Python Code Nodes for suspicious or unauthorized code

3. Check n8n system logs for unusual command executions or anomalous behavior patterns

4. Implement system-level monitoring to detect unexpected child processes spawned by the n8n process

5. Disable the Code Node by setting the environment variable NODES_EXCLUDE: “[\”n8n-nodes-base.code\”]”

6. Disable Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false

CVE-2026–21858: Content-Type Confusion Leading to Unauthenticated Remote Code Execution

CVE ID: CVE-2026–21858  Severity: Critical  CVSS Score: 10.0 out of 10.0 (Maximum Severity)  Vulnerability Type: Content-Type Confusion / Unrestricted File Access  Affected Versions: All n8n versions prior to and including 1.65.0  Patched Versions: 1.121.0, 1.123.10, 2.1.5, 2.2.4, and 2.3.0  Discovered By: Dor Attias (Cyera Research Labs)  Codename: Ni8mare

What is the Vulnerability?

This maximum-severity flaw allows unauthenticated remote attackers to gain complete control over vulnerable n8n instances by exploiting a Content-Type confusion vulnerability in the webhook and file handling mechanism. Unlike previous n8n vulnerability (CVE-2026–21877), this flaw requires zero authentication.

The vulnerability stems from how n8n processes incoming webhook requests. When n8n receives a webhook request, it uses the parseRequestBody() function to determine how to handle the data based on the Content-Type header:

• If Content-Type is “multipart/form-data”: Uses parseFormData() (file upload parser) which leverages the formidable Node.js module to parse form data and stores results in the global variable req.body.files

• For all other Content-Types: Uses parseBody() (regular body parser) which processes the HTTP request body and stores data in req.body

The critical flaw occurs in the formWebhook() function, which handles form submissions. This function calls copyBinaryFile() to process files from req.body.files without first verifying that the Content-Type header is actually "multipart/form-data." This oversight allows attackers to manipulate the req.body.files object by sending a request with a different Content-Type, enabling them to control the filepath parameter and read arbitrary files from the system instead of processing legitimate uploaded files.

Why This is Critical

This vulnerability achieves the maximum CVSS score of 10.0 for several compelling reasons:

1. Zero Authentication Required: Unlike CVE-2025–68613, CVE-2025–68668, and CVE-2026–21877 which require authenticated access, this vulnerability can be exploited by completely unauthenticated remote attackers with no credentials whatsoever.

2. Complete System Compromise: Successful exploitation grants full administrative control over the n8n instance, including the ability to execute arbitrary operating system commands

3. Arbitrary File Read Primitive: Attackers can read any file accessible to the n8n process, including sensitive configuration files, databases, and secrets

4. Authentication Bypass Chain: The arbitrary file read can be escalated to extract database credentials, encryption keys, and administrator session tokens, enabling complete authentication bypass

5. Centralized Attack Vector: n8n instances typically store API credentials, OAuth tokens, database connections, and cloud storage credentials for numerous integrated services, making a compromised instance a “single point of failure and a goldmine for threat actors”

6. Massive Attack Surface: With 26,512 exposed n8n hosts detected globally (as of the disclosure date), the potential impact spans thousands of organizations worldwide.

The Exploit Workflow

This attack can be executed by any unauthenticated attacker who can reach a vulnerable n8n instance with form-based workflows:

Initial Setup Requirements

The target organization must have an n8n workflow that includes a Form node accessible via webhook, for example, a customer support chat interface that allows file uploads to a knowledge base.

Attack Chain Execution

1. Reconnaissance: The attacker identifies a publicly accessible n8n instance running a form-based workflow (such as a chatbot or file upload interface).

2. Arbitrary File Read Exploitation: The attacker crafts a malicious HTTP request to the form webhook endpoint with a manipulated Content-Type header (not “multipart/form-data”) and a specially crafted request body that sets req.body.files to point to sensitive system files.

3. Database Extraction: Using the arbitrary file read primitive, the attacker reads /home/node/.n8n/database.sqlite and submits it to the knowledge base through the form workflow.

4. Credential Harvesting via Chat Interface: The attacker uses the legitimate chat interface to query the now-compromised knowledge base, extracting the administrator’s user ID, email address, and hashed password from the database

5. Encryption Key Theft: The attacker performs another arbitrary file read to access /home/node/.n8n/config and extracts the encryption secret key used to protect sensitive data.

6. Session Forgery: Using the stolen administrator user information and encryption key, the attacker forges a valid session cookie that grants full administrative access to the n8n instance, completely bypassing authentication

7. Remote Code Execution: With administrative access established, the attacker creates a new workflow containing an “Execute Command” node

8. Full System Compromise: The attacker executes the malicious workflow, running arbitrary operating system commands with n8n process privileges and achieving complete control over the host server.

Security Measures

1. Upgrade to the latest version asap. This is the only complete fix for the vulnerability.

2. Configure all Form workflows to require authentication before processing any requests.

3. If your n8n instance is publicly accessible, immediately place it behind a VPN, firewall, or access control mechanism to restrict access to trusted networks only.

Overall Gist:

• CVE-2025–68613 (CVSS: 9.9): A flaw related to improper handling of dynamically managed code resources. Under specific conditions, an authenticated attacker can exploit this issue to achieve remote code execution (RCE). Patched in versions 1.120.4, 1.121.1, and 1.122.0.
  

• CVE-2025–68668 (N8scape) (CVSS: 9.9): A sandbox escape vulnerability that allows authenticated users with workflow creation or modification rights to run arbitrary system commands on the host machine where n8n is deployed. Resolved in version 2.0.0.
  

• CVE-2026–21877 (CVSS: 10.0): An unrestricted file upload vulnerability involving dangerous file types. Successful exploitation enables authenticated attackers to execute untrusted code through the n8n service, potentially resulting in complete instance takeover. Fixed in version 1.121.3.
  

• CVE-2026–21858 (Ni8mare) (CVSS score: 10.0): Caused by a Content-Type confusion flaw in n8n’s webhook and form-handling logic. This issue allows remote attackers to read arbitrary files from the server, extract sensitive secrets, forge administrator sessions, and ultimately achieve full remote code execution without valid credentials.

References:

1. Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands of Instances

2. NVD — CVE-2025–68613

3. New n8n Vulnerability (9.9 CVSS) Lets Authenticated Users Execute System Commands

4. NVD — CVE-2025–68668

5. Critical n8n Vulnerability (CVSS 10.0) Allows Unauthenticated Attackers to Take Full Control

6. Critical n8n Vulnerability (CVSS 10.0) Allows Unauthenticated Attackers to Take Full Control