n8n sandbox escape: what it means for workflow and AI control

TL;DR: CVE-2025-68668 in n8n allows post-auth remote code execution through Pyodide sandbox escapes, with the platform’s own automation role turning a single foothold into access to secrets, workflows, and connected systems, according to Cyera Research Labs. The real issue is not just patching one bug, but recognising that workflow engines can become control planes with far wider blast radius than teams assume.

NHIMG editorial — based on content published by Cyera: N8Scape (Pyodide sandbox escape), a critical post-auth RCE in n8n (CVE-2025-68668)

By the numbers:

• n8n’s public workflow gallery contains 7,600+ published workflows, which is a useful proxy for how broadly teams use it across business and IT automation.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: What breaks when a workflow engine can execute untrusted code inside the same environment that stores secrets?

A: The boundary between application logic and trusted automation collapses.

Q: Why do workflow platforms create outsized NHI risk in enterprise environments?

A: Because they concentrate long-lived credentials, delegated access, and execution authority in one place.

Q: How do security teams know whether an automation platform has become too privileged?

A: Look for signals that the platform can both modify automations and reach sensitive credentials or identity state.

Practitioner guidance

• Separate workflow authoring from secret access Ensure users who can edit workflows cannot directly read the credentials, tokens, or database state that those workflows use.
• Reduce the privilege radius of automation runtimes Run code-execution features in isolated environments that cannot reach host processes, mounted databases, or shared secret stores.
• Inventory long-lived credentials tied to automation platforms Map every API key, OAuth token, database password, and service account used by workflow engines, then classify each by downstream blast radius.

What's in the full article

Cyera's full research covers the operational detail this post intentionally leaves for the source:

• The Pyodide escape paths and the exact bypass logic used to recover OS command execution.
• The proof-of-concept flow that shows how post-auth RCE translates into administrative escalation.
• The specific mitigation guidance for disabling Python execution or removing the Code node in affected deployments.
• The runner-based architecture guidance that changes how untrusted code should be isolated in practice.

👉 Read Cyera’s analysis of the n8n sandbox escape and CVE-2025-68668 →

n8n sandbox escape: what it means for workflow and AI control?

Explore further

View Full Forum →  |  NHI Foundation Course →