CVE-2025-68668

n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]", disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.

An attacker with a valid n8n user account — obtained via phishing, credential stuffing, or insider access — creates or modifies an existing workflow containing a Python Code Node. They craft Python code that exploits the Pyodide sandbox's protection mechanism failure (CWE-693) to break out of the WebAssembly-based isolation layer. Once escaped, arbitrary OS commands execute with the same privileges as the n8n process, which in typical deployments runs with broad or root-level access. The attacker reads environment variables to harvest LLM API keys, database credentials, and webhook secrets; establishes a reverse shell for persistent access; and pivots laterally to connected AI services and internal infrastructure. The entire attack requires no elevated n8n permissions and no user interaction beyond the attacker's own session.