A critical remote code execution (RCE) vulnerability has been identified in the n8n workflow automation platform, which allows an authenticated attacker to take full control of the affected server. By submitting a malicious expression during workflow configuration, an attacker can execute arbitrary code, leading to potential data theft, operational disruption, and further network compromise.

The vulnerability exists within the workflow expression evaluation system. An authenticated user with permissions to configure workflows can supply a specially crafted expression that is not properly sanitized or isolated. This expression is then evaluated in an insecure context, allowing the attacker to break out of the intended sandbox and execute arbitrary commands on the underlying operating system with the privileges of the n8n service account.

This vulnerability is rated as critical severity with a CVSS score of 9.9. Successful exploitation can lead to a complete compromise of the n8n instance, presenting a severe risk to the organization. An attacker could gain unauthorized access to all data processed by n8n, including sensitive credentials, API keys, and proprietary business logic stored in workflows. Furthermore, the attacker could manipulate or destroy critical automation workflows, causing significant operational disruption, and use the compromised server as a pivot point to attack other internal network resources.

Immediate Action: Upgrade all affected n8n instances to a patched version (1.120.4, 1.121.1, or 1.122.0) immediately. After patching, review application and system logs for any signs of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Security teams should monitor for unusual activity on n8n instances, including unexpected modifications to workflows, execution of suspicious child processes (e.g., sh, bash, powershell) by the n8n service account, and anomalous outbound network traffic originating from the n8n server. Review audit logs for workflow creation and modification events for any unauthorized or suspicious changes.

Compensating Controls: If immediate patching is not feasible, apply the following temporary mitigations as described in the advisory:

• Strictly limit permissions for creating and editing workflows to a minimum number of highly trusted administrative users.
• Deploy n8n in a hardened, containerized environment with minimal operating system privileges and restrictive network egress filtering to limit the potential impact of a compromise.

Public Exploit Available: false

Given the critical CVSS score of 9.9 and the potential for complete system compromise, organizations are strongly urged to treat this vulnerability with the highest priority. The requirement for authentication should not diminish the urgency, as credentials can be compromised through other means or insider threats may exist. All affected n8n instances must be upgraded to a patched version immediately. While this vulnerability is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion, and proactive remediation is the most effective defensive posture.