Automation Crisis: Critical 9.9 CVSS Flaw Exposes 103K n8n Instances to Full Takeover
A critical vulnerability in the globally used workflow automation platform n8n allows attackers to execute arbitrary code remotely. Tracked as CVE-2025-68613, the flaw carries an exceptionally high CVSS score of 9.9 out of 10. Under certain conditions, it enables full system compromise, including access to sensitive data and the ability to alter existing workflows or execute operating system–level commands.
The issue stems from how n8n processes expressions entered by authenticated users when configuring workflows. In some scenarios, these expressions are evaluated within an execution context that is insufficiently isolated from the underlying environment. An attacker with access to the platform can exploit this behavior to run arbitrary code with the same privileges as the n8n process itself.
The vulnerability affects all versions from 0.211.0 through 1.120.3 inclusive. Patches are available in versions 1.120.4, 1.121.1, and 1.122.0. According to Censys, as of December 22, more than 103,000 potentially vulnerable n8n instances remain exposed on the internet, with the highest concentrations found in the United States, Germany, France, Brazil, and Singapore.
Given the severity of the flaw, administrators are strongly urged to apply the available updates without delay. Where immediate patching is not feasible, access to workflow creation and modification should be restricted to trusted users only, and n8n should be deployed in a tightly isolated environment with minimal privileges and constrained network access.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
