PoC Exploit Released for Critical n8n Vulnerability Allowing Remote Code Execution

Security researchers have confirmed the release of proof-of-concept exploit code for a critical remote code execution vulnerability affecting n8n, a widely-deployed workflow automation platform used across enterprise environments to orchestrate critical business processes and integrate with internal systems and cloud services.

The vulnerability stems from improper JavaScript expression evaluation within n8n’s workflow processing engine.

When users create or edit workflows, the platform processes user input wrapped in double curly braces {{ }} as executable JavaScript

code on the server side.

However, the execution environment lacks adequate sandboxing protections, allowing attackers to access dangerous Node.js objects and system modules.

Exploitation is straightforward for authenticated users. An attacker with even low-level account privileges can inject malicious expressions into workflow nodes or submit crafted payloads via the REST API.

The payload accesses the Node.js process object and loads system modules like child_process, enabling direct command execution on the underlying host.

Once successful, attackers gain complete system access, enabling credential theft from environment variables, sensitive file reading, backdoor installation, and lateral movement through connected systems.

Immediate Actions Required

Organizations running affected versions must prioritize emergency patching to v1.120.4, v1.121.1, v1.122.0, or later releases.

Before patching, implement monitoring for suspicious expressions containing process.mainModule.require, child_process, or execSync in workflow logs.

Network teams should restrict external n8n access, limit user permissions to trusted accounts, and audit recent workflow modifications for anomalies.

Security teams must review environment variable configurations and immediately rotate all exposed credentials across connected databases and cloud platforms.

The public release of exploit code significantly accelerates the threat timeline exploitation in the wild is expected imminently.

Given the critical nature of this vulnerability and its presence in automated infrastructure environments, organizations should treat remediation as an urgent security incident requiring immediate executive prioritization and coordinated response across security, DevOps, and infrastructure teams.

Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post PoC Exploit Released for Critical n8n Vulnerability Allowing Remote Code Execution appeared first on Cyber Security News.