n8n Automation Flaw Puts AI-Driven Workflows on the Firing Line
– Critical bugs in popular automation tool n8n could hand attackers full control of servers.
– Security firms warn AI and data pipelines are now prime targets for remote code execution.
On Thursday, security researchers disclosed a cluster of serious flaws in n8n, a fast-growing open-source automation platform that many teams now use to connect AI agents, SaaS tools and internal systems.
The bugs, tracked under several CVE identifiers and rated as high as 10.0 on the CVSS severity scale, allow an attacker with a standard n8n account to execute arbitrary code on the underlying server and potentially take over the entire environment.
Once you own the n8n box, you effectively own whatever that box can talk to. For modern AI-heavy shops, that’s almost everything.
That was the blunt assessment from one cloud security researcher who reviewed the findings.
Security firm Orca Security and others describe the core issue as a series of remote code execution flaws in the way n8n evaluates workflow expressions and runs embedded JavaScript and Python. In plain terms, attackers can turn what look like normal automation steps into covert backdoors.
A Quiet Workhorse Becomes a High‑Value Target
n8n has quietly become digital glue for engineering and operations teams. Users drag and drop workflows that connect systems such as Slack, Salesforce, GitHub, cloud storage and large language models, then trigger actions automatically across them.
That flexibility is now part of the risk. If the automation layer is compromised, everything wired into it is suddenly in play.
In one critical flaw, CVE‑2025‑68613, researchers found that expressions supplied by authenticated users can escape their sandbox and run code with the same privileges as the n8n process. The issue affects versions starting with 0.211.0 and was fixed in releases 1.120.4, 1.121.1 and 1.122.0.
A second vulnerability, CVE‑2025‑68668, targets n8n’s Python Code Node. By bypassing a Pyodide-based sandbox, an attacker can run arbitrary system commands on any affected server from version 1.0.0 up to, but not including, 2.0.0.
More recently, CVE‑2026‑21877 pushed the urgency higher. Multiple advisories describe it as an authenticated remote code execution bug with a critical CVSS score of 9.9 or 10.0, affecting both self‑hosted installations and n8n’s own cloud service. A fix was shipped in version 1.121.3.
On paper these are “just” authenticated RCEs. But in the real world, the folks who have workflow access also have the keys to your data kingdom.
That warning came from a security architect at a U.S. financial firm, who asked not to be named because he is not authorized to speak publicly.
From AI Agents to Lateral Movement
Because n8n often sits at the center of AI-powered automation, a compromise can have an unusually wide blast radius.
Researchers say a successful attacker could quietly siphon off everything flowing through workflows: customer records, internal tickets, proprietary prompts for language models and API keys wired into SaaS platforms.
With system-level control of the n8n host, an intruder can then pivot into nearby servers, alter business processes or hijack connected AI agents to do their bidding.
Imagine an attacker silently rewriting workflows so your fraud alerts get suppressed or your AI support bot leaks sensitive data in edge cases. That’s the nightmare scenario we’re modeling for clients right now.
So far, public advisories say there are no confirmed, large-scale attacks exploiting these specific bugs. Still, vendors and defenders stress that the exploits are relatively simple and that n8n’s central role makes it an obvious target.
A Pattern, Not a One‑Off
The string of CVEs is prompting broader questions about how low-code and automation platforms are being designed and secured.
Security write‑ups highlight recurring themes:
- Weak isolation around expression engines
- Fragile sandboxes for user‑supplied code
- Powerful nodes—such as Git or Python—exposed to a broad set of authenticated users
This isn’t a single bug; it’s an architectural smell. When any workflow editor can become a shell, you don’t have automation, you have a distributed remote‑execution service.
That’s how one researcher at a European security lab summed it up.
Vendors including Qualys and Upwind now flag the n8n issues in their scanners and dashboards, urging customers to treat patching as an emergency task, not just another ticket in the queue.
At the same time, cloud-security platforms are scrambling to help customers locate every n8n instance in sprawling environments and determine whether any of them are exposed directly to the internet.
Patching in a Live Automation Factory
For many organizations, remediation is easier to describe than to execute.
The official recommendation is straightforward: upgrade to patched versions—1.120.4, 1.121.1, 1.122.0 and, where applicable, 2.0.0 or later. If upgrading isn’t immediately possible, security teams are told to disable risky nodes and tighten control over who can create or edit workflows.
In reality, those same workflows may be orchestrating payroll, handling support queues or driving AI‑based customer interactions around the clock. Taking them down, even briefly, can have real business impact.
One DevOps lead at a North American company described the internal scramble when the advisories landed.
We found three self‑hosted n8n boxes that no one had documented. They were running critical AI workflows, so we had to schedule emergency maintenance windows in the middle of the night to upgrade and rotate every API key they touched.
Security guidance also points to additional hardening steps, including:
- Placing n8n servers in tightly controlled network segments
- Limiting workflow creation and editing to a small, trusted group
- Moving secrets into external vaults so a compromised instance can’t freely read every password and token
For heavily regulated sectors such as healthcare and finance, a breach via n8n could quickly spill into compliance territory under frameworks like GDPR, HIPAA or emerging AI-governance rules, given the volume of personal and model-related data that often flows through these automations.
The New Front Line for AI Security
The n8n episode highlights a broader shift in how attackers think about targets. They no longer need to compromise every individual SaaS application if they can get a foothold in the orchestration layer that ties everything together.
Workflow engines and AI‑agent routers are the new crown jewels. They’re not just plumbing anymore. They’re command and control for the whole business.
As more companies wire critical operations through low-code tools and AI-driven workflows, security teams are facing a new question. It’s no longer whether these platforms will be targeted, but how quickly attackers will learn to treat quiet configuration consoles and workflow editors as their preferred way into the enterprise.
