Security

Critical n8n Vulnerability (CVSS 9.9) Threatens Over 100,000 Workflow Automation Instances

A severe security vulnerability in n8n, a popular workflow automation platform, has security teams scrambling this holiday week. The flaw, tracked as CVE-2025-68613 and scored at a critical 9.9 out of 10, could allow authenticated attackers to execute arbitrary code on affected servers-and over 100,000 instances may be vulnerable.

The Vulnerability Details

Security researcher Fatih Çelik discovered the flaw, which stems from how n8n handles user-supplied expressions during workflow configuration. According to the maintainers, these expressions can be evaluated in an execution context that isn’t sufficiently isolated from the underlying runtime.

In plain terms: authenticated users could exploit this to run whatever code they want with the privileges of the n8n process itself. That means full system compromise, unauthorized data access, workflow tampering, and system-level operations-all on the table.

The vulnerability affects all n8n versions from 0.211.0 up to (but not including) 1.120.4. Patches are available in versions 1.120.4, 1.121.1, and 1.122.0.

Massive Exposure

The scale is concerning. According to Censys, approximately 103,476 potentially vulnerable instances were exposed as of December 22, 2025. The geographic distribution shows concentrations in the United States, Germany, France, Brazil, and Singapore-suggesting both enterprise and individual deployments are at risk.

With around 57,000 weekly downloads on npm, n8n has a substantial user base. Many organizations rely on it to automate critical workflows, making this vulnerability particularly dangerous if exploited at scale.

Immediate Actions Required

If you’re running n8n, the priority is clear: update immediately to version 1.120.4, 1.121.1, or 1.122.0. This isn’t a “patch when convenient” situation-the CVSS score of 9.9 puts it in the most severe category for a reason.

For environments where immediate patching isn’t feasible, the n8n team recommends:

  • Restricting workflow creation and editing permissions to only trusted users
  • Deploying n8n in a hardened environment with limited OS privileges
  • Implementing strict network access controls to minimize exposure

These mitigations won’t eliminate the risk, but they’ll reduce the attack surface while you prepare to patch.

This vulnerability highlights a recurring challenge with workflow automation platforms: they need flexibility to be useful, but that flexibility can create security risks. When users can define custom logic and expressions, isolating those operations from the underlying system becomes critical-and clearly difficult.

The good news is that n8n’s maintainers responded quickly with patches across multiple versions. The bad news is that with over 100,000 potentially vulnerable instances and the holiday season upon us, many systems may remain unpatched for longer than they should.

If you’re managing n8n instances, don’t wait for the new year. Patch now, before someone else decides to test this vulnerability on your infrastructure.