What is CVE-2025-68668?

It is a critical sandbox bypass vulnerability in n8n's Python Code Node that allows authenticated users to execute arbitrary commands on the host system.

Which versions of n8n are affected?

All versions from 1.0.0 up to, but not including, 2.0.0 are vulnerable.

How does the exploit work?

The exploit uses the Pyodide-to-JavaScript bridge to access Node.js internal modules like 'child_process', allowing Python code to run shell commands on the host.

What is the recommended fix?

Users should upgrade to n8n version 2.0.0, which uses a secure task runner by default and removes the vulnerable Pyodide implementation.

Are there any workarounds if I cannot upgrade?

Yes, you can disable the Code Node using the NODES_EXCLUDE variable or disable Python support by setting N8N_PYTHON_ENABLED to false.

Advisory

Critical sandbox bypass reported in n8n automation platform

published: Jan. 6, 2026

Take action: If you are using n8n, make sure it's isolated from the internet and accessible from trusted users only. Then patch n8n to version 2.0.0 ASAP. Until you can patch, either disable the Python or the entire Code Node.

Learn More

n8n, an open-source workflow automation platform, reports a critical security flaw that lets users take over the host server.

The flaw is tracked as CVE-2025-68668 (CVSS score 9.9) and allows anyone with permission to create or edit workflows to run arbitrary commands on the system. The platform fails to isolate Python code from the underlying Node.js runtime. Attackers can use this path to break out of the intended sandbox and act with the same rights as the n8n service itself.

The root cause is a design failure in the Python Code Node, which uses a tool called Pyodide to run Python in WebAssembly. Pyodide includes a bridge that lets Python talk to JavaScript. In vulnerable versions of n8n, this bridge gives Python code direct access to Node.js internals, including the ability to load modules like child_process. By calling these modules, a user can bypass all security limits and run shell commands directly on the host operating system.

Simple exploit example:

from js import require

# Access Node.js child_process module through Pyodide's JavaScript bridge
child_process = require("child_process")

# Execute arbitrary system command
result = child_process.execSync("whoami").toString()

return {"output": result}

Attackers who break into the host can steal API credentials and tokens for connected third-party services, database passwords and internal configuration files., environment variables containing cloud secrets or proprietary workflow logic and internal business data.

n8n patched this issue in version 2.0.0 by removing the Pyodide sandbox and moving to a more secure task runner model. This new architecture runs Python code in a separate process, creating a hard boundary that prevents host command execution.

Organizations should update to n8n version 2.0.0 or later to fix the flaw. If an immediate update is not possible, administrators should set the environment variable N8N_PYTHON_ENABLED=false to turn off Python support. Another option is to block the Code Node entirely by setting NODES_EXCLUDE=["n8n-nodes-base.code"].

Critical sandbox bypass reported in n8n automation platform

Read More
CISA confirms exploitation of two BeyondTrust flaws, urges …
Ivanti released updates for multiple critical flaws in …
Cisco Patches Actively Exploited Flaw in Unified Communications …
Critical Flaw Reported in AWS CodeBuild
OpenAI's ChatGPT infrastructure under active attack: CVE-2024-27564 exploitation