CISA Alerts on Critical n8n Vulnerability Amidst Widespread Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical security vulnerability affecting the n8n workflow automation platform to its Known Exploited Vulnerabilities (KEV) catalog. This action follows evidence of active exploitation of the flaw, identified as CVE-2025-68613, which carries a CVSS score of 9.9.
CVE-2025-68613 pertains to an expression injection vulnerability within n8n’s workflow expression evaluation system. This flaw allows authenticated attackers to execute arbitrary code with the same privileges as the n8n process. Such exploitation can lead to a full compromise of the affected instance, granting unauthorized access to sensitive data, the ability to modify workflows, and the execution of system-level operations.
In response to this critical issue, n8n released patches in December 2025, addressing the vulnerability in versions 1.120.4, 1.121.1, and 1.122.0. Despite these updates, a significant number of instances remain unpatched. Data from the Shadowserver Foundation indicates that over 24,700 unpatched n8n instances are currently exposed online. Of these, more than 12,300 are located in North America, and approximately 7,800 are in Europe, as of early February 2026.
The exact methods by which this vulnerability is being exploited in the wild have not been publicly detailed. However, the widespread exposure underscores the urgency for organizations to apply the necessary patches promptly.
Adding to the concern, Pillar Security has disclosed two additional critical flaws in n8n. One of these, identified as CVE-2026-27577 with a CVSS score of 9.4, has been classified as an additional exploit discovered in the workflow expression evaluation system following the initial CVE-2025-68613 disclosure. This suggests that the vulnerabilities within n8n’s system may be more extensive than initially understood.
In light of these developments, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies patch their n8n instances by March 25, 2026. This directive is in accordance with Binding Operational Directive (BOD 22-01), issued in November 2021, which aims to ensure that federal agencies address known exploited vulnerabilities in a timely manner.
Understanding the Impact of CVE-2025-68613
The CVE-2025-68613 vulnerability arises from improper control of dynamically managed code resources within n8n’s workflow expression evaluation system. This flaw enables authenticated users to inject and execute arbitrary code, potentially leading to unauthorized access and control over the affected system.
The severity of this vulnerability is heightened by the widespread use of n8n in automating complex workflows across various industries. Organizations rely on n8n to streamline operations, integrate different services, and manage data flows. A compromised n8n instance could disrupt business processes, lead to data breaches, and expose sensitive information to malicious actors.
Steps for Mitigation
To mitigate the risks associated with CVE-2025-68613, organizations should take the following steps:
1. Update n8n Instances: Ensure that all n8n instances are updated to the latest patched versions—1.120.4, 1.121.1, or 1.122.0. Regularly check for and apply any subsequent updates released by the n8n development team.
2. Review Access Controls: Evaluate and restrict user permissions within n8n to the minimum necessary for operational needs. Limiting the number of users with the ability to create or modify workflows can reduce the risk of exploitation.
3. Monitor for Unusual Activity: Implement monitoring solutions to detect anomalous behavior within n8n instances. Unusual activity may indicate attempted or successful exploitation of vulnerabilities.
4. Conduct Security Audits: Regularly perform security audits of n8n configurations and workflows to identify and remediate potential security gaps.
5. Educate Users: Provide training to users on the importance of security practices, recognizing phishing attempts, and reporting suspicious activities.
Broader Implications and Industry Response
The inclusion of CVE-2025-68613 in CISA’s KEV catalog highlights the growing concern over vulnerabilities in widely used automation platforms like n8n. As organizations increasingly adopt such tools to enhance efficiency, the potential attack surface for cyber threats expands.
The cybersecurity community has responded by emphasizing the need for proactive vulnerability management. Security researchers continue to identify and report flaws, prompting developers to release timely patches. However, the responsibility also lies with organizations to implement these updates and maintain robust security postures.
In addition to patching known vulnerabilities, organizations are encouraged to adopt a comprehensive security strategy that includes:
– Regular Vulnerability Assessments: Conduct periodic assessments to identify and address potential security weaknesses.
– Incident Response Planning: Develop and test incident response plans to ensure swift action in the event of a security breach.
– Collaboration with Security Communities: Engage with cybersecurity communities and information-sharing organizations to stay informed about emerging threats and best practices.
Conclusion
The active exploitation of CVE-2025-68613 in n8n serves as a stark reminder of the critical importance of timely vulnerability management. Organizations utilizing n8n must prioritize updating their instances, reviewing security configurations, and implementing comprehensive monitoring to safeguard against potential attacks. By taking these proactive measures, organizations can protect their systems, data, and operations from the evolving landscape of cyber threats.
