Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

New n8n Vulnerability (9.9 CVSS) Lets Authenticated Users Execute System Commands

The Hacker News by The Hacker News
January 6, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Jan 06, 2026Ravie LakshmananVulnerability / DevOps

A new critical security vulnerability has been disclosed in n8n, an open-source workflow automation platform, that could enable an authenticated attacker to execute arbitrary system commands on the underlying host.

The vulnerability, tracked as CVE-2025-68668, is rated 9.9 on the CVSS scoring system. It has been described as a case of a protection mechanism failure.

It affects n8n versions from 1.0.0 up to, but not including, 2.0.0, and allows an authenticated user with permission to create or modify workflows to execute arbitrary operating system commands on the host running n8n. The issue has been addressed in version 2.0.0.

“A sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide,” an advisory for the flaw states. “An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process.”

Cybersecurity

N8n said it had introduced task runner-based native Python implementation in version 1.111.0 as an optional feature for improved security isolation. The feature can be enabled by configuring the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables. With the release of version 2.0.0, the implementation has been made the default.

As workarounds, n8n is recommending that users follow the outlined steps below –

  • Disable the Code Node by setting the environment variable NODES_EXCLUDE: “[“n8n-nodes-base.code”]”
  • Disable Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false
  • Configure n8n to use the task runner-based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables

The disclosure comes as n8n addressed another critical vulnerability (CVE-2025-68613, CVSS score: 9.9) that could result in arbitrary code execution under certain circumstances.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Infortrend, Yapay Zeka Çağını İlerletmek İçin Tasarlanan En Gelişmiş U.2 NVMe SSD Depolama Çözümünü Tanıttı

Infortrend, Yapay Zeka Çağını İlerletmek İçin Tasarlanan En Gelişmiş U.2 NVMe SSD Depolama Çözümünü Tanıttı

Recommended.

e& setzt sein starkes Wachstum im dritten Quartal 2025 fort und steigert den konsolidierten Umsatz um 29,2 % auf 18,6 Mrd. AED

e& setzt sein starkes Wachstum im dritten Quartal 2025 fort und steigert den konsolidierten Umsatz um 29,2 % auf 18,6 Mrd. AED

October 28, 2025
Huawei Wins Three Awards in the All-Optical Network Field at Network X 2025

Huawei Wins Three Awards in the All-Optical Network Field at Network X 2025

October 24, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio