Full Report
n8n security advisory (AV25-857) – Update 1
Analysis Summary
# Vulnerability: Remote Code Execution (RCE) via Expression Injection in n8n
## CVE Details
- **CVE ID:** CVE-2025-68613
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-94 (Improper Control of Generation of Code - 'Code Injection')
## Affected Systems
- **Products:** n8n workflow automation
- **Versions:** Versions 0.211.0 through all versions prior to 1.120.4
- **Configurations:** Systems where untrusted user input can be processed via n8n expressions.
## Vulnerability Description
The vulnerability is a Remote Code Execution (RCE) flaw stemming from insecure handling of expression injections. In vulnerable versions, the application fails to properly sanitize or sandbox expressions, allowing an attacker to inject and execute arbitrary code on the host system within the context of the n8n process.
## Exploitation
- **Status:** **Exploited in the wild.** (Added to CISA Known Exploited Vulnerabilities (KEV) Catalog on March 11, 2026).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to data and environment variables)
- **Integrity:** High (Ability to modify workflows and system files)
- **Availability:** High (Potential for complete system takeover or service disruption)
## Remediation
### Patches
The vendor has released patches to address this flaw. Users should upgrade to the following version or higher:
- **n8n v1.120.4**
### Workarounds
No specific official workarounds are provided in the advisory; immediate patching is strongly recommended due to active exploitation. Restricting network access to the n8n instance to trusted IP addresses can reduce the attack surface.
## Detection
- **Indicators of Compromise:** Look for unusual outbound network connections from the n8n host, unexpected file modifications in the n8n directory, or unauthorized administrative logins.
- **Detection methods and tools:**
- Monitor application logs for suspicious string patterns within n8n expressions.
- Utilize vulnerability scanners to identify outdated versions of n8n.
- Check for entries in the CISA KEV catalog to stay updated on exploitation trends.
## References
- n8n Security Advisory: [https://github[.]com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp]
- CISA KEV Catalog: [https://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog]
- Canadian Centre for Cyber Security Advisory: [https://www[.]cyber[.]gc[.]ca/en/alerts-advisories/n8n-security-advisory-av25-857]