CVE-2025-68668: n8n Python Sandbox Escape

CVE ID: CVE-2025-68668

Severity: CRITICAL | CVSS: 9.9

Sources: 3 different security sources

Let Me Explain What Happened

Let me walk you through a serious security issue that's been discovered in n8n, a popular open-source workflow automation platform. Think of n8n as a tool that helps businesses automate repetitive tasks by connecting different applications together. The problem here is that someone with legitimate access to create workflows could break out of a security sandbox—imagine it like a prisoner escaping from a supposedly secure cell—and run commands directly on the computer hosting n8n. This is particularly concerning because workflow automation tools often have access to sensitive business data and systems.

The vulnerability was publicly disclosed on December 26, 2025, and has been assigned the highest severity rating we typically see. What makes this especially noteworthy is that it affects a widely-used automation platform that many organizations rely on for critical business processes.

A Bit More Detail

The vulnerability exists specifically in n8n's Python Code Node feature, which uses a technology called Pyodide to run Python code in what should be a secure, isolated environment. The security researchers discovered that this isolation could be bypassed, allowing an authenticated user—someone who already has login credentials—to execute arbitrary commands on the host system with the same privileges as the n8n process itself. This is what we call a "sandbox escape" or "sandbox bypass" vulnerability, and it's classified under CWE-693, which refers to protection mechanism failures.

According to reporting from The Hacker News on January 6, 2026, this vulnerability has been actively discussed in the security community, with Rapid7's Emergent Threats team providing detailed analysis on January 8, 2026. Cyble's vulnerability intelligence team also tracked this issue as part of their weekly vulnerability roundup published on January 9, 2026.

The Technical Specifics

• Attack Vector: Network-based (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L)
• Affected Products: n8n versions 1.0.0 through all versions before 2.0.0
• CWE Classification: CWE-693 (Protection Mechanism Failure)
• Authentication Required: Yes (Low-privileged authenticated user)
• Scope: Changed (attacker can affect resources beyond the vulnerable component)
• Impact: High confidentiality impact, High integrity impact, Low availability impact

The CVSS score of 9.9 tells us several important things about this vulnerability. The "Network" attack vector means an attacker can exploit this remotely over a network connection. The "Low" attack complexity indicates that exploitation doesn't require special conditions or extensive preparation. The "Low" privileges required means any authenticated user with workflow creation permissions can potentially exploit this. The "Changed" scope is particularly significant—it means the vulnerability allows an attacker to impact resources beyond the vulnerable component itself, essentially breaking out of the intended security boundaries.

Understanding the Timeline

Here's how the disclosure unfolded, based on the sources available:

• December 26, 2025: The National Vulnerability Database officially published CVE-2025-68668, with n8n releasing version 2.0.0 containing the patch
• January 6, 2026: The Hacker News reported on the vulnerability, bringing it to wider public attention
• January 8, 2026: Rapid7's Emergent Threats team published detailed analysis, noting this was among multiple critical vulnerabilities affecting n8n
• January 9, 2026: Cyble included this vulnerability in their weekly intelligence roundup

What You Should Do About This

Let me guide you through the steps you need to take, starting with the most urgent actions:

• Right Now (Immediate Actions):
  • Identify your exposure: Check if you're running n8n versions 1.0.0 through any version before 2.0.0. You can typically find this in your n8n instance's settings or about page.
  • Review user permissions: Audit who has permissions to create or modify workflows in your n8n instance. Remember, any authenticated user with these permissions could potentially exploit this vulnerability.
  • Monitor for suspicious activity: Look for unusual workflow creations or modifications, especially those involving Python Code Nodes, and review logs for unexpected system commands or process executions.
• For the Long Term (Permanent Fixes):
  • Upgrade to version 2.0.0 or later: This is the primary and most comprehensive fix. The n8n team has patched the sandbox bypass vulnerability in version 2.0.0. Plan your upgrade carefully, testing in a non-production environment first.
  • If immediate upgrade isn't possible, implement workarounds: The n8n team has provided several temporary mitigation options:
    • Disable the Code Node entirely by setting the environment variable: NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]"
    • Disable Python support specifically in the Code node by setting: N8N_PYTHON_ENABLED=false (available in n8n version 1.104.0 and later)
    • Configure n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables
  • Implement the principle of least privilege: Review and restrict workflow creation and modification permissions to only those users who absolutely need them for their job functions.
  • Enable comprehensive logging: Ensure you're capturing detailed logs of workflow executions, user actions, and system-level activities for forensic analysis if needed.

Detection and Hunting Guidance

If you're a security analyst or system administrator, here are some ways to detect potential exploitation attempts:

• Workflow Analysis: Review recently created or modified workflows, particularly those containing Python Code Nodes. Look for unusual imports, system calls, or attempts to access file systems or network resources.
• Process Monitoring: Monitor for unexpected child processes spawned by the n8n process, especially those involving system shells (bash, sh, cmd) or system utilities.
• Log Analysis: Search your n8n logs for error messages related to Pyodide, sandbox violations, or Python execution failures that might indicate exploitation attempts.
• Network Monitoring: Watch for unusual outbound network connections from your n8n server, which could indicate command-and-control communication or data exfiltration.

Going Deeper: The Technical Context

For those of you who want to understand the deeper technical aspects, let me explain what makes this vulnerability particularly significant. Pyodide is a port of Python to WebAssembly, designed to run Python code in isolated environments like web browsers or sandboxed server contexts. The entire security model relies on the assumption that code running in this environment cannot break out and access the underlying system.

When a sandbox bypass vulnerability exists, it fundamentally undermines this security model. An attacker who can execute arbitrary Python code within what should be a restricted environment can leverage the bypass to execute system-level commands. This is especially dangerous in workflow automation platforms because these systems often run with elevated privileges to interact with various services and APIs.

The "Changed" scope in the CVSS vector (S:C) is particularly important here. It indicates that the vulnerability allows an attacker to affect resources beyond the vulnerable component's security scope. In practical terms, this means an attacker isn't just compromising the n8n application itself—they're potentially gaining access to the entire host system, any data the n8n process can access, and potentially other systems that the host can reach.

From a MITRE ATT&CK framework perspective, this vulnerability could enable several tactics:

• Initial Access (TA0001): While authentication is required, compromised credentials could provide the initial foothold
• Execution (TA0002): The core of the vulnerability—arbitrary command execution (T1059)
• Persistence (TA0003): An attacker could modify workflows to maintain access
• Privilege Escalation (TA0004): Depending on how n8n is deployed, this could lead to further privilege escalation
• Defense Evasion (TA0005): Malicious code could be hidden within legitimate-looking workflows

Why This Matters to You

Even if you don't use n8n directly, this vulnerability highlights important security principles that apply broadly. Sandbox escapes represent a fundamental breakdown in security boundaries, and they're particularly concerning in automation platforms that often have broad access to organizational resources. The fact that this requires authentication might seem like a limiting factor, but remember that insider threats and compromised credentials are common attack vectors.

The rapid response from the n8n team—providing not just a patch but also multiple workaround options—demonstrates good security practices. However, the 9.9 CVSS score reflects the serious nature of the vulnerability and the importance of prompt remediation.

Where I Found This Information

• National Vulnerability Database - CVE-2025-68668 (Official NVD Record)
• n8n GitHub Security Advisory GHSA-62r4-hw23-cc8v
• The Hacker News - New n8n Vulnerability (9.9 CVSS) Lets Authenticated Users Execute System Commands (Credibility: 7)
• Rapid7 Emergent Threats - Ni8mare and N8scape flaws among multiple critical vulnerabilities affecting n8n (Credibility: 9)
• Cyble - The Week in Vulnerabilities: 2026 Starts with 100 PoCs and New Exploits (Credibility: 8)

Note: This is automated security intelligence based on multiple sources. Always test updates carefully in a non-production environment before applying them to production systems. The information provided here is current as of the publication dates listed, but security situations evolve rapidly—always check for the latest updates from official sources.