Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

n8n Python Code Node (Pyodide) sandbox bypass leading to host command execution (N8scape)

IdentifiersCVE-2025-68668CWE-693· Protection Mechanism FailureAlso known asn8scape

n8n (open-source workflow automation) contains a sandbox bypass in the Python Code Node implementation that uses Pyodide. In affected versions (>= 1.0.0 and < 2.0.0), an authenticated user who can create or modify workflows can escape the intended Pyodide sandbox and execute arbitrary commands on the underlying host operating system with the same privileges as the n8n service process. The issue is fixed in n8n 2.0.0, which moves Python execution to a more isolated task-runner/native Python model by default.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Authenticated remote command execution on the n8n host with n8n process privileges, enabling full compromise of the n8n instance and potential access to data/secrets reachable by the n8n service account (including credentials handled by workflows), and potential lateral movement depending on environment permissions.

Mitigation

If you can’t patch tonight, do this now.

If upgrade is not immediately possible: (1) disable the Code node via NODES_EXCLUDE='["n8n-nodes-base.code"]'; and/or (2) disable Python support in the Code node via N8N_PYTHON_ENABLED=false (available since n8n 1.104.0); and/or (3) enable the task-runner-based Python sandbox using N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.

Remediation

Patch, then assume compromise.

Upgrade n8n to version 2.0.0 or later, where the vulnerability is patched (Python execution defaults to the task-runner/native Python model).
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
N8nN8napplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

63 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

63 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Critical n8n vulnerability that allows an authenticated attacker to execute arbitrary system commands on the underlying host (protection mechanism failure).

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

n8n authenticated system command execution due to protection mechanism failure.

Read more
the hacker newsNews
Jan 29, 2026
remote code execution - Latest News, Reports & Analysis | The Hacker News

A previously disclosed n8n Pyodide sandbox escape vulnerability referenced for similarity to Cellbreak.

Read more
the hacker newsNews
Jan 27, 2026
Critical Grist-Core Vulnerability Allows RCE Attacks via Spreadsheet Formulas

A Pyodide sandbox escape vulnerability affecting n8n (referenced as a similar issue to the Grist-Core flaw).

Read more
+17 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity42

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-68668
NVD
nvd.nist.gov/vuln/detail/CVE-2025-68668
MITRE CWE · CWE-693
Protection Mechanism Failure
Patch
github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v
smartkeyss.com
smartkeyss.com/post/cve-2025-68668-breaking-out-of-the-python-sandbox-in-n8n