Critical n8n Automation Platform Vulnerability Exposes Over 103,000 Instances to Remote Code Execution
A critical security flaw has been identified in n8n, an open-source workflow automation tool, potentially exposing more than 103,000 instances worldwide to remote code execution (RCE) attacks. This vulnerability, designated as CVE-2025-68613, carries a maximum Common Vulnerability Scoring System (CVSS) severity score of 9.9, underscoring its critical nature.
Understanding the Vulnerability
The core of this vulnerability lies within n8n’s workflow expression evaluation system. Under specific conditions, expressions input by authenticated users are executed without adequate isolation, granting them access to the underlying system. This design flaw enables attackers with legitimate access to bypass security boundaries and execute arbitrary code. Successful exploitation could lead to unauthorized access to sensitive data stored within workflows, modification of workflow configurations, and execution of system-level operations. The ramifications are particularly concerning for organizations that rely on n8n for critical automation processes.
Affected Versions and Patch Information
The vulnerability affects n8n versions starting from 0.211.0 up to, but not including, versions 1.120.4, 1.121.1, and 1.122.0. To address this issue, the n8n security team has released patches across three update tracks:
– Track 1: Patched in version 1.120.4
– Track 2: Patched in version 1.121.1
– Track 3: Patched in version 1.122.0
Users are strongly advised to upgrade to the latest patched versions to mitigate the risk associated with this vulnerability.
Temporary Mitigation Measures
For organizations unable to update immediately, temporary mitigations include:
– Restricting Workflow Creation and Editing Permissions: Limit these capabilities to trusted users only.
– Deploying n8n in Hardened Environments: Implement restricted operating system privileges and network access.
It’s important to note that these workarounds do not eliminate the risk entirely and should only be considered short-term measures until the system can be fully updated.
Exploitation Status and Recommendations
As of December 19, 2025, there have been no reports of active exploitation in the wild. However, the publication of a proof-of-concept exploitation guide by SecureLayer7 increases the risk of future attacks. Data from Censys highlights the extensive exposure, identifying 103,476 potentially vulnerable n8n instances across global networks, emphasizing the urgency of patching efforts.
Organizations utilizing n8n should prioritize immediate patching to the latest available versions. Security teams are advised to:
– Audit Workflow Permissions: Review and adjust permissions to ensure only authorized users have access.
– Monitor System Logs: Keep an eye out for unauthorized activity that could indicate exploitation attempts.
Given the critical nature and broad exposure of this vulnerability, treating it as a high-priority security incident is essential for protecting automation infrastructure and sensitive data.
