Back to Articles
⏱6 min read
#security#n8n#cybersecurity#rce#automation

A technical breakdown of two critical remote code execution (RCE) vulnerabilities in n8n and how to secure your automation infrastructure.

The n8n Security Crisis: Critical RCE Vulnerabilities (CVE-2026-21858 & CVE-2025-68613)

TL;DR: If you are running n8n versions prior to 1.122.0, your automation server is likely vulnerable to Remote Code Execution (RCE). CVE-2026-21858 is unauthenticated and allows full server takeover. Upgrade immediately to v1.122.0 or later and rotate all stored credentials.

Introduction

In the modern enterprise, automation is no longer a luxury—it is the central nervous system of operations. Tools like n8n serve as the "glue" connecting CRM data, cloud infrastructure, and internal communication. However, when this glue becomes a gateway for attackers, the impact is catastrophic.

In late 2025 and the first week of 2026, two critical vulnerabilities were disclosed that have sent the n8n community into a high-alert patching cycle. These vulnerabilities, CVE-2025-68613 and CVE-2026-21858, allow for Remote Code Execution (RCE), giving attackers the ability to execute arbitrary commands on your host system.

Given that n8n often holds the "keys to the kingdom"—including API keys for AWS, Stripe, and internal databases—a compromise here is not just a server breach; it is a multi-service security failure. In this article, we will break down the mechanics of these exploits and provide a clear roadmap for remediation.

CVE-2025-68613: The Sandbox Escape

Disclosed in December 2025, CVE-2025-68613 is a critical vulnerability (CVSS 9.9) affecting n8n's workflow expression evaluation system. This flaw targets authenticated users, making it a high risk for organizations with large teams or those using n8n for client-facing automation.

How it Works

The vulnerability resides in how n8n handles JavaScript expressions within its nodes. While n8n uses a sandbox to isolate these expressions from the underlying server, researchers discovered that the isolation was insufficient. By crafting specific expressions, an authenticated user could "escape" the sandbox and execute code with the same privileges as the n8n process.

The Risk Profile

For enterprises, an authenticated RCE is a major risk. It allows any user with workflow creation or editing permissions to escalate their privileges, bypass internal security controls, and access sensitive data stored in other workflows. If you provide n8n as a managed service to your clients, this vulnerability could lead to cross-tenant data breaches.

CVE-2026-21858: The Unauthenticated Webhook Exploit

Disclosed on January 7, 2026, CVE-2026-21858 is the more severe of the two, carrying a maximum CVSS score of 10.0. This is an unauthenticated RCE, meaning an attacker does not need an account or a password to compromise your server.

Content-Type Confusion

The technical root of this vulnerability is a "Content-Type confusion" flaw in n8n’s webhook and file-handling logic. Attackers can send specially crafted HTTP requests to public webhook endpoints with manipulated Content-Type headers. These headers confuse the internal request parser, allowing the attacker to override internal state variables.

The Path to Root Access

Once the internal state is overridden, an attacker can manipulate file-handling paths to access sensitive system files or forge administrative sessions. This ultimately leads to arbitrary code execution. Because this exploit targets the webhook system—which is designed to be internet-exposed by default—over 100,000 self-hosted instances were immediately at risk upon disclosure.

The Cascading Impact: When the "Hub" is Compromised

Automation platforms like n8n are unique because they are "hub" systems. A single n8n instance typically has credentials for dozens of external services. When an attacker gains RCE on an n8n host, the "blast radius" is immense:

  • Credential Theft: Attackers can dump the n8n database, which contains encrypted but retrievable credentials for every service you've connected.
  • Lateral Movement: An attacker can use n8n's network access to probe your internal VPC, databases, and other microservices.
  • Data Exfiltration: Malicious workflows can be silently added to intercept data flowing between your CRM and your data warehouse.

Immediate Remediation Steps

If you are running a self-hosted instance of n8n, you must act now.

Step 1: Patching Guide

Ensure your n8n instance is updated to at least version 1.121.0, though 1.122.0 is recommended for complete coverage of both vulnerabilities.

# Example update for Docker-based deployments
docker pull n8nio/n8n:latest
docker stop n8n
docker rm n8n
docker run ... n8nio/n8n:latest

Verify your version by checking the bottom left corner of the n8n UI.

Step 2: Mandatory Secret Rotation

Critical Action: If your instance was exposed to the internet prior to January 7, 2026, you must assume your credentials have been compromised. Once patched, you must rotate:

  1. Database passwords.
  2. API keys (Slack, AWS, OpenAI, etc.).
  3. n8n encryption keys (if possible).
  4. Administrative passwords for the n8n UI.

Step 3: Security Audit

Review your n8n execution logs for any unusual activity or unknown workflows created in the last 30 days. Look for webhook requests with strange headers or payloads.

Strategic Defense: Hardening Your Automation Infrastructure

Patching is just the first step. To prevent future exploits from taking down your entire infrastructure, implement a "Defense in Depth" strategy:

  • Network Isolation: Never expose n8n directly to the public internet. Use a VPN or a Zero-Trust gateway (like Cloudflare Access) to gate-keep the UI.
  • Webhook Hardening: Use a dedicated reverse proxy or WAF to filter incoming webhook traffic.
  • Least Privilege: Run n8n in a container with a non-root user and restricted filesystem access.
  • Managed Security: Consider moving away from self-hosting if your team doesn't have the capacity for rapid security patching. Our Cybersecurity and Process Automation teams can help you build a more resilient setup.

Business Impact & The Bottom Line

From a business perspective, the "npm tax" or the cost of "Shadow IT" automation is often hidden until a breach occurs. A CVSS 10.0 vulnerability can lead to:

  • Financial Loss: The average cost of a data breach in 2025 is estimated at over $4.5 million, largely driven by credential compromise.
  • Compliance Violations: Unpatched RCE vulnerabilities are a direct violation of SOC2 and GDPR requirements.
  • Trust Erosion: Clients trust you with their data flows; a breach in your automation layer is a breach of that trust.

By prioritizing this update, you reduce your "Time to Remediation" (TTR) and protect your organization from a cascading failure. Proactive security in automation is no longer a "nice-to-have"—it is a fundamental requirement for business continuity.

Conclusion

The vulnerabilities discovered in n8n (CVE-2026-21858 and CVE-2025-68613) serve as a reminder that our most useful tools are often our biggest risks. The shift toward unauthenticated RCEs in 2026 highlights the need for a "Security-First" approach to automation.

Action Item: Upgrade your n8n instance to v1.122.0 today. If you need assistance with a security audit or infrastructure hardening, contact our expert team for a consultation.

For more technical deep dives, read our analysis of CVE-2025-66478: The Next.js RCE.

Published on January 08, 2026
← Back to Articles