Technical Advisory: n8n Python Sandbox Escape Enables Arbitrary Command Execution

Disclosed: December 24, 2025‍

Severity: Critical (CVSS 9.9 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L)‍

Package/Component: n8n (npm package)‍

Advisories: GHSA-62r4-hw23-cc8v • CVE-2025-68668‍

‍Exploitation Status: No public exploits or proof-of-concept code available as of January 8, 2026; no active exploitation reported.  Part of a cluster of critical n8n vulnerabilities (CVE-2026-21858, CVE-2026-21877, CVE-2025-68613) with public PoCs, significantly increasing weaponization risk. Organizations should prioritize patching.

Executive Summary

What Happened: A critical sandbox bypass vulnerability was discovered in n8n’s Python Code Node that uses Pyodide, enabling authenticated attackers with workflow permissions to escape WebAssembly-based sandbox restrictions and execute arbitrary operating system commands on the host system.

Why It Matters:

• Supply Chain Risk: n8n is a widely-deployed workflow automation platform used across enterprises for business-critical process automation, making this vulnerability impactful across numerous production environments
• Privilege Escalation: Attackers execute commands with the same privileges as the n8n process, potentially enabling full host compromise in containerized or privileged deployments
• AI Agent Exploitation: Automated workflows and AI-driven agents using n8n’s Python capabilities become attack vectors for persistent compromise and lateral movement
• Scope Change Impact: The vulnerability affects resources beyond the vulnerable component itself, breaking containment assumptions and impacting host systems, adjacent containers, and network-accessible resources

High-Level Risks:

• Arbitrary command execution on host systems running n8n
• Data exfiltration from databases, file systems, and connected services
• Lateral movement to adjacent systems using extracted credentials or network access
• Supply chain compromise through malicious workflow injection

Immediate Actions:

1. Upgrade to n8n version 2.0.0 or later immediately
2. If upgrade not possible, disable Python support via N8N_PYTHON_ENABLED=false (v1.104.0+)
3. Alternatively, exclude the Code Node entirely: NODES_EXCLUDE: "[\\"n8n-nodes-base.code\\"]"
4. Review audit logs for suspicious workflow creation/modification by authenticated users
5. Rotate credentials accessible to n8n processes and review host system integrity

Overview

The vulnerability stems from insufficient sandbox isolation in n8n’s Python Code Node implementation using Pyodide, a WebAssembly-based Python runtime. While Pyodide provides browser-like isolation for Python execution, the integration within n8n’s architecture contains escape vectors that allow authenticated users to break out of the intended execution boundary. When an attacker with valid credentials and workflow modification permissions crafts malicious Python code within a Code Node, they can leverage these escape vectors to execute arbitrary commands on the underlying host system with the same privileges as the n8n process.

Risk Analysis

This threat is particularly concerning in the context of agentic AI systems due to:

1. Authenticated Attack Surface: Unlike many critical vulnerabilities requiring unauthenticated access, this flaw is exploitable by any authenticated user with workflow creation permissions; a broad privilege class in typical n8n deployments including developers, automation engineers, and business users.
2. Persistent Exploitation in Automation Workflows: n8n workflows execute repeatedly on schedules, webhooks, or triggers, creating persistent backdoors where a single malicious workflow modification enables repeated command execution across time without further attacker interaction.
3. AI Agent Integration Vectors: Organizations integrating n8n with LLM-based agents for dynamic workflow generation or modification face amplified risk, as prompt injection attacks against AI systems can indirectly manipulate workflow definitions to include malicious Python code.

Technical Details

Primary Attack Vector: Pyodide Sandbox Escape via Python Code Node

The exploitation path involves the following steps:

1. Attacker authenticates to n8n using valid credentials with workflow creation/modification permissions
2. Malicious workflow creation containing a Python Code Node with sandbox escape payload
3. Workflow execution triggers the Python Code Node, initiating Pyodide Python runtime
4. Sandbox bypass leverages WebAssembly isolation weaknesses or n8n integration flaws to escape containment
5. Command execution occurs on the host system with n8n process privileges
6. Persistent access maintained through workflow triggers (scheduled, webhook-based, or event-driven)

Technical Mechanism

The vulnerability exploits the boundary between Pyodide’s WebAssembly sandbox and n8n’s Node.js host environment:

• WebAssembly Isolation Limitations: Pyodide executes Python code within a WebAssembly sandbox intended to prevent host system access, but integration points with n8n’s JavaScript runtime create escape vectors
• Host System Bridge: n8n’s implementation provides interfaces between Python code and Node.js host capabilities, which can be exploited to execute system commands beyond sandbox boundaries
• Privilege Inheritance: Commands executed through the escape mechanism inherit the n8n process’s user privileges, potentially including database access, file system permissions, and network capabilities

Impact

Systems affected by this threat may experience:

• Arbitrary Command Execution: Attackers gain full command-line access to the host system running n8n, enabling file manipulation, process control, and system configuration changes
• Data Breach: Access to databases, file systems, and environment variables containing API keys, credentials, and sensitive business data
• Lateral Movement: Extracted credentials and network access enable compromise of adjacent systems, cloud resources, and connected services
• Denial of Service: Malicious commands can terminate the n8n process, exhaust system resources, or corrupt workflow data
• Supply Chain Compromise: Attackers can modify existing workflows to inject backdoors affecting downstream business processes and integrations
• Container Escape: In containerized deployments, the vulnerability may enable container escape techniques when combined with other privilege escalation vectors

Affected Versions

The following versions are known to be affected:

• n8n versions 1.0.0 ≤ version < 2.0.0

Patched Versions:

• n8n >= 2.0.0 (implements secure Python sandbox by default)

Partial Mitigation Available:

• n8n >= 1.111.0 (task-runner architecture with native Python isolation via N8N_RUNNERS_ENABLED)
• n8n >= 1.104.0 (Python disable flag N8N_PYTHON_ENABLED=false)

Deployment Context:

• Self-hosted installations: Confirmed vulnerable if running affected versions
• n8n Cloud managed instances: Status not explicitly addressed in advisories; contact n8n support for clarification on whether managed instances have been patched

Check Your Version:

# For npm installations
npm list n8n

# For Docker installations
docker exec <container_name> n8n --version

# Or check the n8n UI: Settings → About


Immediate Mitigation Steps

1. Upgrade to Patched Version (Recommended):
   
   • For npm installations:
     
     • npm install n8n@latest
# Verify version 2.0.0 or higher
npm list n8n

   • For Docker installations:
     
     • # Pull latest image
docker pull n8nio/n8n:latest

# Verify version 2.0.0 or higher
docker run --rm n8nio/n8n:latest n8n --version

# Restart container with new image
docker-compose down && docker-compose up -d

   • Note: Version 2.0.0+ implements the secure Python sandbox by default via task-runner architecture, eliminating the vulnerability without additional configuration changes. This changes the Python execution model from Pyodide to native Python with proper isolation.
2. Alternative: Disable Python Support (v1.104.0+):
   
   • # Set environment variable to disable Python Code Node
export N8N_PYTHON_ENABLED=false

# Restart n8n service
systemctl restart n8n  # or equivalent for your deployment

3. Alternative: Exclude Code Node Entirely:
   
   • # Disable all Code Node functionality (both JavaScript and Python)
export NODES_EXCLUDE='["n8n-nodes-base.code"]'

# Restart n8n service
systemctl restart n8n

4. Alternative: Enable Task Runner Sandbox (v1.111.0+):
   
   • # Enable task-runner architecture with native Python isolation
export N8N_RUNNERS_ENABLED=true
export N8N_NATIVE_PYTHON_RUNNER=true

# Restart n8n service
systemctl restart n8n

5. Detection and Investigation:
   • Review n8n audit logs for workflow creation/modification events by authenticated users
   • Search workflow definitions for Python Code Nodes: grep -r "n8n-nodes-base.code" /path/to/n8n/workflows/
   • Check system logs for unusual process execution from the n8n user account
   • Investigate outbound network connections from n8n processes
   • Scan for unauthorized file modifications in directories accessible to the n8n process
6. Credential Rotation and System Integrity:
   • Rotate all API keys, database credentials, and secrets accessible to n8n processes
   • Review host system integrity for signs of compromise (unauthorized users, cron jobs, SSH keys)
   • Check cloud provider audit logs for unauthorized access
   • Scan for backdoors, webshells, or persistence mechanisms on affected systems

Long-term Recommendations

1. Access Control and Governance:
   • Implement least-privilege access controls for workflow creation/modification permissions
   • Separate development and production n8n instances with distinct authentication boundaries
   • Require multi-person approval workflows for production workflow changes
   • Establish workflow code review processes including security analysis of Python Code Nodes
   • Monitor and alert on workflow modifications, especially those introducing Code Nodes
2. Architecture and Isolation:
   • Deploy n8n in containerized environments with strict resource limits and network policies
   • Use read-only container file systems where possible to limit persistence mechanisms
   • Implement network segmentation to isolate n8n processes from sensitive internal resources
   • Run n8n processes with minimal user privileges (non-root, restricted file system access)
   • Use secret management systems instead of environment variables
3. Monitoring and Detection:
   • Implement runtime application security monitoring for n8n processes
   • Alert on unusual system calls, file access patterns, or network connections from n8n
   • Monitor workflow execution logs for errors, unexpected outputs, or timing anomalies
   • Establish baseline behavior for n8n processes and alert on deviations
   • Integrate n8n audit logs with SIEM systems for correlation with other security events

Framework Context

This incident aligns with multiple security frameworks:

OWASP Agentic Security & Integrity (ASI) 2026:

• ASI02:2026 Tool Misuse and Exploitation - Python Code Node exploited beyond intended automation boundaries to execute system commands and compromise host infrastructure
• ASI04:2026 Agentic Supply Chain Vulnerabilities - n8n as foundational automation infrastructure creates cascading risk across dependent workflows, integrations, and AI agent deployments
• ASI05:2026 Unexpected Code Execution (RCE) - Sandbox bypass enables arbitrary command execution through Pyodide isolation weaknesses, converting workflow definitions into executable system commands

OWASP Agentic AI Threats & Mitigations (AATM) v1.0:

• T2 Tool Misuse - Python Code Node exploited beyond intended automation scope to achieve host system compromise
• T11 Unexpected RCE - Sandbox escape converts workflow logic into arbitrary command execution with host privileges

OWASP LLM Top 10 (2025):

• LLM03:2025 Supply Chain - n8n dependency vulnerability creates systemic exposure across automation and AI agent deployments
• LLM06:2025 Excessive Agency - Workflows and autonomous agents with Python Code Node access can execute privileged operations when sandbox bypass is exploited

Common Weakness Enumeration (CWE):

• CWE-693 Protection Mechanism Failure - Pyodide WebAssembly sandbox integration in n8n fails to provide adequate isolation from host system resources, enabling containment bypass and privilege escalation through authenticated workflow execution

Detection Indicators

Organizations should search logs for the following patterns:

n8n Application Logs:

• Workflow creation or modification events involving Python Code Nodes
• Execution errors mentioning Pyodide, WebAssembly, or Python runtime failures
• Unusual workflow execution durations indicating system command execution
• Python Code Node outputs containing system command results or error messages

System Logs:

• Process execution from the n8n user account not matching expected n8n service operations
• File access by n8n processes outside expected workflow data directories
• Network connections from n8n processes to unexpected external or internal endpoints
• Child processes spawned by n8n with unusual command-line arguments (bash, sh, curl, wget)

Network Logs:

• Outbound connections initiated during Python Code Node execution
• Data exfiltration patterns (large uploads, connections to known malicious IPs)
• Lateral movement attempts (SMB, SSH, RDP connections to internal hosts)

Updates

We will update this analysis as more information becomes available. Please monitor our security channels for the latest updates.

‍