Cybersecurity researchers have disclosed four critical vulnerabilities in the n8n workflow automation platform within weeks of each other. Active botnet campaigns and a supply-chain attack are already underway, forcing enterprise security teams to treat remediation as a priority incident.
Background
With over 100 million Docker pulls, millions of users, and thousands of enterprise deployments, n8n has become a central element of automation infrastructure. The open-source platform enables technical teams to connect applications and services into custom automated processes through a visual, low-code drag-and-drop editor. Because n8n frequently serves as a central orchestration layer-connecting internal systems, cloud services, and third-party APIs-any compromise can cascade across an entire organization.
Automation platforms are frequently deployed outside central inventories, making external discovery critical and patching difficult to coordinate at scale.
Details
The vulnerability cluster spans two months of disclosures. CVE-2025-68613, carrying a CVSS score of 9.9, was publicly disclosed on December 19, 2025, and affects n8n versions from 0.211.0 through those prior to 1.120.4, 1.121.1, and 1.122.0. The flaw resides in the platform's server-side expression evaluation engine. It allows authenticated users to supply malicious JavaScript expressions inside workflows that escape the intended sandbox and execute arbitrary code with the privileges of the n8n process. In many environments, these permissions are shared broadly to support collaboration, increasing exposure in the event of credential compromise or insider misuse.
A second flaw, CVE-2026-21858-dubbed "Ni8mare" by Cyera Research Labs-carries a maximum CVSS score of 10.0 and requires no authentication, allowing full remote code execution through a content-type confusion bug. The vulnerability affects approximately 100,000 servers globally, according to Cyera, which discovered and reported the defect to n8n on November 9. In total, n8n disclosed four critical vulnerabilities over a two-week period, including CVE-2025-68668 (CVSS 9.9), a sandbox bypass fixed in version 2.0.0, and CVE-2026-21877 (CVSS 10.0), an unrestricted file upload vulnerability enabling full instance compromise.
"The risk is massive," said Dor Attias, security researcher at Cyera Research Labs. "n8n sits at the heart of enterprise automation infrastructure. Gaining control of n8n means gaining access to your secrets, customer data, CI/CD pipelines and more."
Active exploitation has materialized on multiple fronts. A botnet campaign dates back to at least early December 2025, with exploits identified in Akamai's global honeypot network in mid-January 2026 spreading a Mirai malware variant. By running malicious expressions on the underlying system, an attacker could read and write files on the server, steal environment variables such as API keys, and establish persistence.
Simultaneously, threat actors uploaded eight malicious packages to the npm registry masquerading as n8n community node integrations, marking the first supply-chain attack explicitly targeting the n8n ecosystem, according to Endor Labs. Once installed, the malicious nodes behaved like legitimate integrations-presenting configuration screens and collecting credentials-while covertly decrypting stored OAuth tokens and API keys and exfiltrating them to remote command-and-control servers. Researchers at Endor Labs noted that "community nodes run with the same level of access as n8n itself - they can read environment variables, access the file system, make outbound network requests, and, most critically, receive decrypted API keys and OAuth tokens during workflow execution."
Enterprises accustomed to monitoring build systems for supply-chain abuse may miss this class of attack entirely, as it targets automation platforms already embedded deep inside business workflows.
Outlook
Upwind CEO Amiram Shachar reported "a noticeable increase in traffic targeting customer n8n instances," attributing the activity to heightened interest from both attackers and security researchers. Patched versions 1.120.4, 1.121.1, 1.122.0, and 2.0.0 are available; n8n also advises organizations to avoid internet-exposing their instances and to enforce authentication on all form-based workflows. Recommended interim controls pending full remediation include reviewing workflow-configuration permissions, limiting authenticated user access, restricting network exposure, placing n8n behind authentication gateways, and monitoring for unexpected workflow changes or anomalous process execution. On self-hosted instances, disabling community nodes by setting N8N_COMMUNITY_PACKAGES_ENABLED to false is advised until a formal vetting process is in place.
