Critical Remote Code Execution Vulnerability in n8n Workflow Automation Platform
A critical vulnerability, tracked as CVE-2025-68613, was discovered in the n8n workflow automation platform, allowing authenticated users to execute arbitrary code on affected instances. The flaw, which impacts versions 0.211.0 up to but not including 1.120.4, arises from insufficient isolation of user-supplied expressions during workflow configuration, potentially leading to full system compromise, unauthorized data access, and modification of workflows. The vulnerability has a CVSS score of 9.9, and over 100,000 potentially exposed instances have been identified globally, with the highest concentrations in the U.S., Germany, France, Brazil, and Singapore.
Security advisories urge immediate patching to versions 1.120.4, 1.121.1, or 1.122.0 to mitigate the risk. For organizations unable to patch immediately, it is recommended to restrict workflow creation and editing permissions to trusted users and to deploy n8n in a hardened environment with limited operating system privileges and network access. The Canadian Centre for Cyber Security and other authorities have issued alerts emphasizing the criticality of this vulnerability and the urgent need for remediation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Metasploit exploit module is developed for CVE-2025-68613
On December 25, 2025, a Metasploit Framework pull request introduced an exploit module for CVE-2025-68613. The module targeted authenticated code execution in vulnerable n8n instances through the Schedule Trigger workflow and demonstrated shell access on tested versions.
Public PoC and exploitation details for CVE-2025-68613 are published
By December 23-24, 2025, public proof-of-concept code and technical exploitation details for CVE-2025-68613 were published, increasing the likelihood of attacks. Reports described abuse through workflow expression evaluation, including exploitation via the web UI and REST API.
CVE-2025-68613 disclosure warns over 100,000 n8n instances are exposed
By December 22-23, 2025, public advisories disclosed CVE-2025-68613 as a CVSS 9.9 vulnerability in n8n that could let authenticated users execute arbitrary code and fully compromise servers. Reporting said more than 100,000 internet-exposed instances were potentially vulnerable and urged immediate patching or temporary hardening measures.
n8n releases patches for critical CVE-2025-68613
On December 19, 2025, n8n released security updates to fix CVE-2025-68613, a critical expression-injection flaw enabling authenticated remote code execution. The issue was patched in versions 1.120.4, 1.121.1, and 1.122.0 for affected releases from 0.211.0 onward.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
CVE-2025-68613: Remote Code Execution via Expression Injection in n8n
resecurity.com
Open sourceCVE 2025 68613
github.com
Open sourceCVE-2025-68613: Critical n8n RCE Vulnerability Enables Full Server Compromise
indusface.com
Open sourceCVSS 9.9 RCE vulnerability in n8n potentially impacts more than 100K servers
scworld.com
Open sourceCritical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands of Instances
thehackernews.com
Open sourceCVE-2025-68613: Critical RCE Vulnerability Disclosed in n8n Workflow Automation
socradar.io
Open sourceCritical n8n Automation Platform Vulnerability Enables RCE Attacks – 103,000+ Instances Exposed
cybersecuritynews.com
Open sourceCritical n8n flaw could enable arbitrary code execution
securityaffairs.com
Open sourcen8n security advisory (AV25-857)
cyber.gc.ca
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Remote Code Execution Vulnerability in n8n Workflow Automation Platform
A critical remote code execution vulnerability, tracked as CVE-2026-21877, has been identified in the n8n workflow automation platform. The flaw, rated CVSS 10.0, allows authenticated users to execute arbitrary code on affected n8n instances, posing a significant risk to environments where n8n is used to automate workflows with access to sensitive data, internal systems, and credentials. The vulnerability impacts n8n versions from 0.123.0 up to but not including 1.121.3, affecting both self-hosted and managed deployments. Exploitation requires authenticated access, and the vulnerability is linked to unsafe handling that can result in the execution of untrusted code. The issue has been addressed in n8n version 1.121.3 and later, and users are strongly advised to upgrade immediately to mitigate the risk. Additional recommendations include restricting workflow modification access to trusted administrators, blocking high-risk nodes at runtime, and reviewing audit logs for suspicious activity prior to patching. No public exploit details or proof-of-concept have been released as of the latest advisories. Organizations using n8n should prioritize patching and implement hardening measures to prevent potential compromise of their automation infrastructure.
Mar 21, 2026
Critical RCE Vulnerability in n8n Workflow Automation Platform (CVE-2026-21877)
A critical remote code execution (RCE) vulnerability, identified as CVE-2026-21877 and rated CVSS 10.0, was disclosed in the open-source workflow automation platform n8n. The flaw allows authenticated users to execute arbitrary code on affected instances, potentially leading to full system compromise. Both self-hosted and n8n Cloud deployments are impacted, specifically versions from 0.123.0 up to but not including 1.121.3. The vulnerability was discovered by security researcher Théo Lelasseux and has been addressed in version 1.121.3, released in November 2025. Administrators are strongly advised to upgrade immediately or, if patching is not possible, to disable the Git node and restrict access for untrusted users to mitigate risk. The disclosure follows a series of critical vulnerabilities in n8n, highlighting ongoing security challenges for the platform. The Canadian Centre for Cyber Security and other sources have issued advisories urging prompt action to apply the necessary updates. The vulnerability underscores the importance of timely patch management and access control for workflow automation tools, especially those exposed to untrusted users or the internet.
Mar 21, 2026
Critical Remote Code Execution Vulnerabilities in n8n Workflow Automation Platform
A critical vulnerability, CVE-2025-68613, has been discovered in the n8n open-source workflow automation platform, allowing authenticated users with workflow creation or editing permissions to execute arbitrary system commands on the underlying server. This flaw, rated 9.9 on the CVSS scale, stems from improper sandboxing of JavaScript expressions within workflow definitions, enabling attackers to escape restrictions and gain system-level access. The vulnerability does not require administrative privileges, making it a significant risk in environments with multiple users or weak access controls, and could lead to full system compromise, data exfiltration, workflow sabotage, and lateral movement. Another related vulnerability, CVE-2025-68668, also enables sandbox escape in n8n, turning workflows into potential attack vectors. Both vulnerabilities highlight the urgent need for organizations using n8n to review user permissions, apply available patches, and implement strong access controls to mitigate the risk of exploitation. While there is no current evidence of active exploitation, the ease of attack and the platform's popularity make immediate remediation essential.
Mar 21, 2026