editorially independent. We may make money when you click on links
to our partners.
Learn More
A critical RCE flaw in the n8n automation platform puts over 103,000 exposed instances worldwide at risk.
The flaw allows authenticated attackers to execute arbitrary code with full system privileges, potentially leading to complete compromise of automation infrastructure.
Exploitation of the vulnerability can result in “… full remote code execution and complete system compromise,” said Secure Layer 7 researchers.
The Scope and Severity of the n8n Vulnerability
Automation platforms like n8n often sit at the center of business operations, orchestrating workflows across cloud services, internal systems, and sensitive data sources.
A single compromised instance can provide attackers with privileged access to credentials, data pipelines, and downstream systems, amplifying the blast radius far beyond the automation tool itself.
The vulnerability, tracked as CVE-2025-68613, carries a CVSS score of 9.9, reflecting both its high potential impact and relative ease of exploitation.
It affects n8n versions starting from 0.211.0 across multiple release branches, leaving a significant portion of deployed environments exposed unless patched.
Internet scanning data from Censys underscores the scale of the risk, identifying 103,476 potentially vulnerable n8n instances exposed across global networks.
This level of exposure increases the likelihood of opportunistic attacks, particularly against organizations that have delayed patching or rely on n8n for mission-critical automation.
Given n8n’s widespread adoption among DevOps teams, SaaS providers, and internal IT automation groups, the flaw represents a systemic risk — especially in environments where automation platforms may not traditionally be treated as high-risk assets.
How the n8n RCE Vulnerability Works
The flaw resides in n8n’s workflow expression evaluation system. Under specific conditions, expressions entered by authenticated users are executed without sufficient sandboxing or isolation.
This allows attackers to bypass intended security boundaries and interact directly with the underlying operating system.
Unlike many high-profile RCE flaws, exploitation does not require unauthenticated access or external input.
Instead, attackers only need valid credentials — making the vulnerability particularly dangerous in environments where credentials may be reused, phished, or shared.
Once exploited, attackers can access sensitive workflow data, modify automation logic, deploy malicious payloads, or establish persistence on the host.
Although no active exploitation was reported at the time of disclosure on December 19, 2025, security researchers at SecureLayer7 have released a proof-of-concept (PoC) exploit.
Key Steps to Mitigate n8n Exploitation Risk
Because automation platforms often operate with elevated privileges, exploitation can have cascading effects across connected systems.
Addressing the risk requires more than applying patches alone, especially in environments where automation platforms have elevated access to critical systems.
- Immediately upgrade all affected n8n deployments to patched versions.
- Restrict workflow creation, editing, and administrative access to highly trusted users and enforce strong authentication, including phishing-resistant MFA.
- Harden n8n deployments by running services with least privilege, non-root execution, network segmentation, and tightly controlled outbound connectivity.
- Audit user accounts, workflow changes, and secrets stored within n8n, and rotate any credentials that may have been exposed during the vulnerable period.
- Monitor application, system, and network logs for signs of unauthorized command execution, suspicious workflow activity, or anomalous outbound connections.
- Conduct retrospective threat hunting and incident readiness reviews to identify potential past exploitation and improve response capabilities.
Implementing these measures can help reduce exploitation risk, contain potential impact, and improve overall security resilience.
This vulnerability highlights a broader shift in attacker focus toward automation and orchestration platforms that connect multiple systems, data sources, and trust zones across the enterprise.
As organizations rely more on low-code and workflow tools, weaknesses in these platforms can enable lateral movement and privilege escalation, allowing a single flaw to trigger a widespread security incident.
This growing reliance on interconnected platforms is prompting many organizations to adopt zero-trust solutions that limit implicit trust and restrict access across every system interaction.
