CVE-2025-68613: Nye8! - APAC Groups Exploit PoC & Four CVSS10 Critical n8n Vulnerabilities leads to Remote Code Execution
- PIPELINE
- Jan 14
- 6 min read
Updated: Jan 16
Author(s): Reyben T. Cortes, Azim Udin, Unit Zero Threat Research Team, DefusedCyber
Happy New Year! Since early December leading up to the Holiday break we flagged a series of n8n vulnerabilities that came to our immediate attention, for a good reason. N8n one of the most trending, Free-to-start low-code no code automation platform used by all types of users and organizations worldwide. Due to it's extremely scalable workflows and powerful nodes it became a successor to Zapier allowing organizations to self-host locally made instances and Cloud-based versions. While this allowed great flexibility it paints an extremely diversified attack surface.
Japan | Asia |
1,170 | 15,362 |
Shodan Dork: http.favicon.hash:-831756631 , http.title:*n8n* , product:*n8n*, title:*n8n
Censys Dork: services.software.vendor:'n8n' , services.software.product:'n8n'
Worldwide: 114, 843
Disclaimer: If you didn't get the joke, "Nye8!" refers to Russian word "Nyet!" meaning "Noo!!"
The Nye8! Vulnerabilities
On December 19, 2025 - 15 days before the exploit code was unleashed, our proactive threat research team Unit Zero were alerted by a vulnerability that seemed too good to be true? A perfect 10.0 CVSS score on the Richter scale coming from CVE-2025-68613 an N8n Vulnerability our team dubbed "Nye8!" - disclosed by security researcher Fatih Çelik. We immediately triggered our playbooks notified our customers and provided the necessary outreach to affected Japanese & APAC - Asia Pacific organizations running outdated software versions. Due to the quick response, the ample time provided our customers the gap they needed for proper patch management.
CVE-2025-68613 (Nye8!): Improper Control of Dynamically Managed Code Resources
CVSS10.0:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
The Nye8! vulnerability is an improperly controlled resource in n8n when creating a common trigger workflow. This is exploiting what's known as input validation or improper control in Node.js environment specifically with expressing this.process.mainModule.require logic. This leads to sensitive OS Command injection like modules in the host/container for sensitive credentials shown in Figure 4. What's interesting is NVD downgraded this scoring to 8.8 as it understands the exploit as an authenticated user requiring the condition. However, those who have actually built n8n workflows before know the trigger node is created every single time you're building out a workflow as shown in Figure 5. It's possible to exploit this vulnerability in the vulnerable versions and deploy a reverse shell imposing risks to orgs with possible insider threats you hired halfway around the world.
CVE-2026-68668 (N8scape) - Sandbox Escape in Python Code Node Execution Environment
CVSS10.0:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
On January 4, 2025 three days after the exploit code for nye8! - the n8scape vulnerability is publicly disclosed by researchers Vladimir Tokarev and Ofek Itach at Cyera. We are also testing the exploit payload for detection purposes but decided to redact the information until proper disclosure by the following researchers in the upcoming n8scape blog this week. Similarly with Nye8! - this is also a sandbox escape which is a flaw primarily from blacklisting defined resources which has its limitations. This undermines what the vulnerability is actually trying to address. Unfortunately the patches implied by n8n may still be deemed ineffective as shown in Figure 6. The patched 2.1.4 instance displays "disallowed" listings, this could allow attackers to import other Python code node libraries that can still express sensitive modules so stay alert for more vulnerable n8n disclosures.
CVE-2026-21877 (N8Save)- Arbitrary Remote Code Execution From Arbitrary File Write Access leads to System Compromise
CVSS10.0:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Two days later on January 6 researchers exposed more vulnerabilities in the n8n platform impacting both Cloud and Self-hosted instances disclosed by Théo Lelasseux. This vulnerability also plagued by the lack of proper input validation found throughout the platform can gain access to the host container to run untrusted code execution through untrusted arbitrary file reads. This flaw allowed RCE - Remote Code Executions where users store the sensitive API credentials for their workflows as shown in Figure 7 leading to full database compromise. Thankfully, details of this specific exploit has been shut.
CVE-2026-21858 (Ni8mare) - Unauthenticated Remote Code Execution in Webhook Forms Content
CVSS10.0:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
A day later on January 7 researchers at Cyera Dor Attias publishes Ni8mare. This vulnerability lives up to its name with a network vector without requiring user authentication. Because the vulnerabilities are so trivial within a single n8n workflow it is feasible to chain the nye8! vulnerability along with ni8mare since most workflows begins with a trigger node and a set field. The exploit works by crafting vulnerable HTTP response to a vulnerable n8n instance as shown in Figure 7. Our Threat Research Team Unit Zero discovered many organizations with this criteria especially from Western orgs using the forms for job application submissions.
PoC Exploit Market Analysis
On January 7 the same day Cyera publishes ni8mare we discovered one of the earliest exploit sale posted for $157.50 USD. This rate aligns with low-end commodity pricing post-disclosure of the vulnerability while at the same time yield a very high ROI - Return on Investment.
Validated Vulnerable Ranges?
Vulnerable Ranges | Patched Versions |
CVE-2025-68613 CVSS9.9 ≥ 0.211.0 and < 1.120.4 (main branch) ≥ 1.121.0 and < 1.121.1 (1.121.x branch) ≥ 1.122.0 and < 1.122.0 | 1.120.4, 1.121.1, 1.122.0, and all later including 2.x |
CVE-2026-68668 CVSS9.9 ≥ 1.0.0 and < 2.0.0 | 2.0.0+ |
CVE-2026-21877 CVSS ≥0.123.0 and <1.121.3 | 1.121.3+ |
CVE-2026-21858 CVSS10 ≥1.65.0 and <1.121.0 | 1.121.0+ |
What does this mean to Japan & APAC Region?
Very concerning, using our RiskSensor solution we have identified several customers running outdated versions in both Cloud and Self-hosted instances. Over 15K organizations across our area of responsibility in the Asia-Pacific region run an n8n instance, 1k+ in Japan. Only 17% of Japan have patched above 2.0X. This means a majority of the versions in the Japan region were sparse and outdated for the CVE-2025-68613 running below <1.124.0. As of January 6, there are now reports of supply chain attacks affecting n8n's npm ecosystem in a credential harvesting campaign. It is possible such campaign are attempting exfiltrate valid Oauth authentication to execute the vulnerabilities which does require user authentication other than exploiting CVE-2026-21858.
What Groups We're Tracking?
On January 9, we identified several hacktivist groups exploiting a PoC - proof of Concept exploit code released for CVE-2026-21858 in the Bangladesh region attributed to Team BD Cyber Ninja. This is a conglomerate group of vocal hacktivist groups in the country based around geopolitical issues. These findings come two days later after Bangladesh CERT publishes an advisory report for n8n on January 11. There are no specific mention of this group surrounding the use of n8n in their data leak operations however we discovered a PoC they shared for ni8mare CVE-2026-21858. These findings come two days later after the Bangladesh E-gov CERT publishes an advisory for n8n on January 11 as hack & leak operations continue to rise after the Osman Hadi murder in early December 2025.
Conclusion
We encourage organizations in the Japan & APAC - Asia Pacific region to patch above 2.X as we have observed widespread instances below this range vulnerable to both CVE-2025-68613 and CVE-2026-68668. In addition, the patches applied by n8n appear to be insufficient due to blacklisting which could allow workarounds to the patch as demonstrated in Figure 6. We encourage organizations in APAC - Asia Pacific region to stay alert for newer n8n vulnerabilities as more researchers discover new weaknesses within the platform that were not carefully addressed such as CVE-2025-68949 another incorrect n8n webhook handling. There have been ongoing campaigns targeting n8n's npm ecosystem leading to user authentication which the three vulnerabilities require and allow actors to chain the following vulnerabilities under the conditions. However, due to our rapid response in early December from our Threat research team Unit Zero, we have proactively informed Japan & Asia Pacific organizations 15 days before the exploit code was released for CVE-2025-68613.
Team Unit Zero's On-the-Clock Response
Pipeline Horizon – Unit Zero is Pipeline’s dedicated APAC cyber threat intelligence, analysis, and emergency response team. If you suspect a cyber attack or security incident, please contact us:
📧 dfir@ppln.co | 📞 +81-50-3311-7772 | https://www.ppln.co/en
RiskSensor Solution: Real Time Identification
If you are looking for real-time identification RiskSensor our 2025 award winning solution quickly validates your attack surface across all your environments. In conjunction with our proactive threat research team Unit Zero we have informed organizations 15 days before exploit code was released supporting proper patch management for our customers in Japan and APAC - Asia Pacific Wide.
