A critical remote code execution vulnerability has been disclosed in the n8n workflow automation platform that could allow attackers to execute arbitrary code on affected instances under certain conditions. The vulnerability, tracked as CVE-2025-68613, carries a CVSS score of 9.9 and affects a widely adopted automation framework used across development, DevOps, and business process workflows.
Technical Details
CVE-2025-68613 allows an authenticated attacker to execute arbitrary code with the privileges of the n8n process by abusing insufficient isolation during workflow configuration. Under vulnerable versions, expressions supplied during workflow creation or modification may be evaluated in an execution context that is not properly sandboxed from the underlying runtime.
Successful exploitation can lead to full compromise of the affected n8n instance. An attacker may gain unauthorized access to sensitive data processed by workflows, modify or weaponize automation logic, execute system-level commands, and potentially pivot into connected services or internal networks.
Given n8n’s role as an orchestration and automation platform, exploitation significantly amplifies risk by enabling attackers to abuse trusted workflows, credentials, and integrations as part of follow-on attacks.
Affected Versions
The vulnerability impacts the n8n workflow automation platform.
Affected versions include:
All n8n versions 0.211.0 and later, up to but excluding the fixed releases.
The issue has been patched in the following versions:
- 1.120.4
- 1.121.1
- 1.122.0
Organizations running earlier versions remain vulnerable.
Exposure and Threat Context
Security researchers claim there are over 103,000 potentially vulnerable n8n instances exposed as of December 22, 2025. A large proportion of these instances are internet-facing, significantly increasing exploitation risk.
Observed exposure is concentrated primarily in the United States, Germany, France, Brazil, and Singapore. While there is no public confirmation of widespread exploitation at the time of writing, vulnerabilities affecting workflow automation platforms are high-value targets due to their access to credentials, APIs, and downstream systems.
Mitigation Guidance
Organizations using n8n should upgrade to a patched release immediately. If immediate patching is not feasible, workflow creation and editing permissions should be restricted to trusted users only, and deployments should be hardened by limiting operating system privileges and network access.
Additional defensive measures include isolating n8n instances from sensitive internal systems, reviewing existing workflows for unexpected logic or expressions, and ensuring that credentials stored within workflows are rotated and protected appropriately.
Stay Safe. Stay Secure
OP Innovate Research Team
