CVE-2025-68697 is a vulnerability classified under CWE-269 (Improper Privilege Management) and CWE-749 (Exposed Dangerous Method or Function) affecting the open-source workflow automation platform n8n prior to version 2.0.0. The issue arises in self-hosted n8n deployments where the Code node operates in legacy JavaScript execution mode (non-task-runner mode). Authenticated users who have workflow editing permissions can exploit this flaw by invoking internal helper functions from within the Code node. These helper functions provide access to the underlying host filesystem with the same privileges as the n8n process. Consequently, an attacker can read sensitive files or write arbitrary files to the host, constrained only by existing OS or container-level permissions and any configured file access restrictions within n8n. This can lead to unauthorized disclosure of sensitive information, potential tampering with configuration or operational files, and further escalation of privileges if critical files are overwritten. The vulnerability does not require additional user interaction beyond authentication and can be exploited remotely over the network. The vendor addressed this issue in n8n version 2.0.0 by changing the execution mode and restricting access. Workarounds include configuring environment variables such as N8N_RESTRICT_FILE_ACCESS_TO to limit accessible directories, enabling N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES to block access to sensitive config files, and disabling risky nodes like the Code node via NODES_EXCLUDE if workflow editors are not fully trusted. No known exploits are reported in the wild as of the publication date.

For European organizations, this vulnerability poses a significant risk especially for those deploying self-hosted n8n instances for automating business workflows. Exploitation can lead to unauthorized access to sensitive corporate data stored on the host system, including credentials, configuration files, or proprietary information. The ability to write files may allow attackers to implant malicious scripts or modify workflows, potentially disrupting business operations or enabling further lateral movement within the network. Given n8n’s role in automating critical processes, compromise could impact data integrity and operational continuity. Organizations in regulated sectors such as finance, healthcare, and government are particularly vulnerable due to strict data protection requirements under GDPR and other regulations. The vulnerability’s exploitation requires only authenticated access with workflow editing privileges, which may be obtained via compromised credentials or insider threats, increasing the attack surface. The lack of user interaction and remote network exploitability further heightens the risk. Failure to patch or mitigate this vulnerability could result in data breaches, compliance violations, reputational damage, and operational disruptions.

European organizations should immediately upgrade all self-hosted n8n instances to version 2.0.0 or later to fully remediate this vulnerability. Until upgrades can be performed, implement the following mitigations: 1) Configure the environment variable N8N_RESTRICT_FILE_ACCESS_TO to restrict file operations to a dedicated directory that contains no sensitive data, minimizing the risk of unauthorized file access. 2) Ensure N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES is set to true (default) to block access to the .n8n directory and user-defined configuration files, protecting critical configuration data. 3) Disable the Code node and other high-risk nodes using the NODES_EXCLUDE environment variable if workflow editors are not fully trusted, thereby reducing the attack surface. 4) Enforce strict access controls and monitor workflow editor accounts for suspicious activity to prevent unauthorized privilege escalation. 5) Employ network segmentation and host-level security controls to limit the impact of any potential compromise. 6) Regularly audit and review workflow permissions and user roles to ensure least privilege principles are maintained. 7) Implement logging and alerting on file access and workflow changes to detect exploitation attempts promptly.