vulnerability

n8n:CVE-2025-68668: Sandbox bypass in Pyodide-based Python Code Node allows arbitrary command execution (N8scape)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:S/C:C/I:C/A:C)	Dec 26, 2025	Jan 9, 2026	Jan 9, 2026

Severity

CVSS

(AV:N/AC:L/Au:S/C:C/I:C/A:C)

Published

Dec 26, 2025

Added

Jan 9, 2026

Modified

Jan 9, 2026

Description

A sandbox bypass vulnerability exists in n8n versions from 1.0.0 up to, but not including, 2.0.0. An authenticated attacker with workflow editing permissions can exploit flaws in the Pyodide-based Python Code Node to escape the isolated execution environment. This allows the execution of arbitrary operating system commands on the host system with the privileges of the n8n process.

Solution

n8n-upgrade-2_0_0

References

CWE-94
CVE-2025-68668
https://attackerkb.com/topics/CVE-2025-68668
URL-https://nvd.nist.gov/vuln/detail/CVE-2025-68668

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today