SB2026010711 - Security restrictions bypass in n8n

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Protection mechanism failure (CVE-ID: CVE-2025-68668)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures in the Python Code Node that uses Pyodide. A remote user with permission to create or modify workflows can bypass sandbox restrictions and execute arbitrary commands on the host system with privileges of the n8n process.

2) Exposed dangerous method or function (CVE-ID: CVE-2025-68697)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to legacy code node enables file reads and writes. A remote user with access to workflow editor can read and modify files on the host. 

Remediation

Install update from vendor's website.

References

• https://github.com/advisories/GHSA-62r4-hw23-cc8v
• https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v
• https://github.com/n8n-io/n8n/security/advisories/GHSA-j4p8-h8mh-rh8q