A critical flaw in the n8n automation platform could allow attackers to execute arbitrary code if exploited under specific conditions.
Researchers warn that a critical vulnerability, tracked as CVE-2025-68613 (CVSS score of 9.9), in the n8n workflow automation platform could allow attackers to achieve arbitrary code execution under certain circumstances. The package gets about 57,000 downloads per week, according to npm statistics.
“n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime.” reads the advisory. “An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.”
n8n is a workflow automation platform designed for technical teams that combines the flexibility of custom code with the speed and simplicity of no-code tools. It supports more than 400 integrations, includes native AI features, and uses a fair-code license, allowing organizations to build powerful automations while retaining full control over their data and deployment environments.
An authenticated attacker could exploit this weakness during workflow configuration to run arbitrary code with the same privileges as the n8n process, potentially leading to full system compromise, data exposure, workflow tampering, and execution of system-level commands. The vulnerability has been fixed in versions 1.120.4, 1.121.1, and 1.122.0, and users are strongly urged to upgrade. If upgrading is not immediately possible, administrators should restrict workflow creation and editing to fully trusted users and run n8n in a hardened environment, keeping in mind these measures only reduce risk temporarily and do not fully resolve the issue.
Cybersecurity firm Censys observed 103,476 potentially vulnerable instances as of December 22, 2025, trackable with the following queries. Most of the instances are located in the U.S., Germany, and France.
A critical RCE vulnerability in certain versions of n8n allows an authenticated attacker to execute arbitrary code with the privileges of the n8n process. Exploitation could lead to full compromise of the affected instance.
CVSS 9.9
Patch available — upgrade… pic.twitter.com/15FhiSckej
— Censys (@censysio) December 22, 2025
Users should install the updates immediately and, if patching isn’t possible, restrict workflow editing to trusted users and run n8n in a hardened environment with restricted operating system privileges and network access.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, n8n)
