Severe n8n Security Bug (CVSS 9.9) Opens the Door to Remote Code Execution on Thousands of Systems
A serious security weakness has been uncovered in the popular n8n workflow automation platform, and it’s one that’s hard to ignore. If attackers manage to exploit it, they could run their own code on affected systems — a nightmare scenario for administrators and businesses relying on n8n every day.
This vulnerability is officially tracked as CVE-2025-68613 and has been given a CVSS score of 9.9 out of 10, placing it in the most dangerous category. The issue was discovered and responsibly reported by security researcher Fatih Çelik. To put the impact into perspective, the n8n package sees around 57,000 weekly downloads on npm, meaning a very large user base could be at risk.
According to the n8n maintainers, the problem lies in how certain expressions are handled during workflow setup. “In specific scenarios, expressions provided by authenticated users may be executed in an environment that isn’t properly isolated from the core runtime,” they explained. In simpler terms, the system doesn’t always keep user inputs safely contained.
This creates a frightening opportunity for attackers. A logged-in user with malicious intent could take advantage of this behavior to execute arbitrary code with the same permissions as the n8n process itself. If that happens, the consequences could be severe — from stealing sensitive data and altering workflows to running system-level commands and completely taking over the server.
The vulnerability affects all versions from 0.211.0 up to (but not including) 1.120.4. Thankfully, the issue has now been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Still, the scale of exposure is alarming. Data from attack surface monitoring platform Censys shows that as of December 22, 2025, there are 103,476 n8n instances that could potentially be vulnerable. Most of these are based in the United States, Germany, France, Brazil, and Singapore.
Given how critical this flaw is, users are strongly urged to update immediately. Delaying could leave systems wide open to attack. If upgrading right away isn’t possible, there are temporary steps that can help reduce risk: limit workflow creation and editing to only trusted users, run n8n in a locked-down environment, and restrict operating system privileges and network access. While these measures aren’t a permanent fix, they can buy valuable time and help protect your systems from serious harm.
 Opens the Door to Remote Code Execution on Thousands of Systems){kind=link}