The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting the n8n workflow automation platform to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the flaw is currently being exploited in real world attacks.
The vulnerability, tracked as CVE-2025-68613 with a CVSS score of 9.9, allows attackers to execute remote code on affected systems. The issue was originally patched in December 2025, but a large number of systems remain unprotected.
Details of the Security Flaw
According to CISA, the vulnerability results from improper control of dynamically managed code resources within the platform’s workflow expression evaluation system.
This weakness can allow attackers to inject malicious expressions that ultimately lead to remote code execution (RCE).
n8n developers stated that an attacker who is already authenticated could exploit the flaw to run arbitrary code using the same privileges as the n8n service.
If successfully exploited, the vulnerability could enable a full compromise of the affected system. Attackers could gain access to sensitive data, manipulate workflow automation processes, or perform system level actions on the host server.
Large Number of Exposed Instances
Security monitoring data indicates that many n8n deployments have not yet applied the security update.
According to data from the Shadowserver Foundation, more than 24,700 n8n instances remain exposed on the internet.
Regional distribution of exposed systems includes:
- Over 12,300 instances in North America
- Approximately 7,800 systems in Europe
These figures highlight the risk of widespread exploitation if organizations fail to apply the available security patches.
Security Fixes and Affected Versions
The vulnerability was resolved in the following n8n versions released in December 2025:
- 1.120.4
- 1.121.1
- 1.122.0
CVE-2025-68613 is notable because it represents the first n8n vulnerability to be added to CISA’s KEV catalog, which tracks flaws known to be actively exploited by threat actors.
Additional Vulnerabilities Discovered
The inclusion of this vulnerability in the KEV list follows recent research from Pillar Security that revealed additional critical issues in the same platform.
One of these vulnerabilities, CVE-2026-27577 (CVSS 9.4), is considered an additional exploit related to the workflow expression evaluation mechanism.
Security researchers indicated that the discovery of these related flaws suggests broader risks in how the platform handles expression processing.
Mandatory Patching Deadline for U.S. Federal Agencies
As part of the response to active exploitation, U.S. Federal Civilian Executive Branch agencies have been directed to secure their systems.
Under Binding Operational Directive 22-01, federal agencies must apply the necessary patches to vulnerable n8n installations by March 25, 2026.
CISA emphasized that organizations using n8n should update their systems immediately to reduce the risk of compromise.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
