CVE-2025-68697 [High] | Privilege Escalation in N8n

n8n is an open source workflow automation platform. Prior to version 2.0.0, in self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from within the Code node. This allows a workflow editor to perform actions on the n8n host with the same privileges as the n8n process, including: reading files from the host filesystem (subject to any file-access restrictions configured on the instance and OS/container permissions), and writing files to the host filesystem (subject to the same restrictions). This issue has been patched in version 2.0.0. Workarounds for this issue involve limiting file operations by setting N8N_RESTRICT_FILE_ACCESS_TO to a dedicated directory (e.g., ~/.n8n-files) and ensure it contains no sensitive data, keeping N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES=true (default) to block access to .n8n and user-defined config files, and disabling high-risk nodes (including the Code node) using NODES_EXCLUDE if workflow editors are not fully trusted.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.03%	0.24%	+0.21%
2	2025-12-27	—	0.03%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.03%

0.24%

+0.21%

2025-12-27

—

0.03%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.1	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:N) Service keeps running; no real outage angle.	2.8	4.2	[email protected]
5.4	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	2.8	2.5	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.1

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N): Service keeps running; no real outage angle.

2.8

4.2

[email protected]

5.4

3.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N): Service keeps running; no real outage angle.

2.8

2.5

[email protected]

Affected software / configurations for CVE-2025-68697

Vendor	Product	Version	Raw CPE
n8n	n8n	< 2.0.0	cpe:2.3:a:n8n:n8n::::::node.js::*

References for CVE-2025-68697

URL	Tags
https://github.com/n8n-io/n8n/security/advisories/GHSA-j4p8-h8mh-rh8q	Patch Vendor Advisory

URL

CVE-2025-68697 | Self-hosted n8n has Legacy Code node that enables arbitrary file read/write

Exploit prediction scoring system (EPSS) score for CVE-2025-68697

Common vulnerability scoring system (CVSS) metrics for CVE-2025-68697

Weakness enumeration for CVE-2025-68697

GitHub Security Advisory for CVE-2025-68697

Affected software / configurations for CVE-2025-68697

References for CVE-2025-68697