Critical n8n Vulnerability Exploited: Over 24,700 Instances at Risk
The Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical security flaw affecting the n8n workflow automation platform to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, identified as CVE-2025-68613 with a CVSS score of 9.9, involves an expression injection issue that can lead to remote code execution (RCE). The flaw was patched by n8n in December 2025 with the release of versions 1.120.4, 1.121.1, and 1.122.0.
Understanding CVE-2025-68613
CVE-2025-68613 is a vulnerability within n8n’s workflow expression evaluation system. It allows authenticated users to execute arbitrary code with the same privileges as the n8n process. Exploitation of this flaw can result in complete system compromise, granting attackers access to sensitive data, the ability to modify workflows, and the execution of system-level operations.
Current Exposure and Exploitation
As of early February 2026, data from the Shadowserver Foundation indicates that over 24,700 unpatched n8n instances are exposed online. Of these, more than 12,300 are located in North America, and approximately 7,800 are in Europe. The widespread exposure underscores the urgency for organizations to address this vulnerability promptly.
CISA’s Response and Recommendations
In response to the active exploitation of CVE-2025-68613, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies patch their n8n instances by March 25, 2026, as per Binding Operational Directive (BOD 22-01) issued in November 2021. This directive emphasizes the critical nature of the vulnerability and the need for immediate remediation.
Additional Vulnerabilities in n8n
Following the disclosure of CVE-2025-68613, additional critical vulnerabilities have been identified in n8n:
– CVE-2026-21877: This flaw allows authenticated users to execute arbitrary code on the underlying instance. It affects n8n versions >= 0.123.0 and < 1.121.3 and has been addressed in version 1.121.3. ([thehackernews.com](https://thehackernews.com/2026/01/n8n-warns-of-cvss-100-rce-vulnerability.html?utm_source=openai)) - CVE-2026-27494: An authenticated user with permission to create or modify workflows can exploit the Python Code node to escape the sandbox, potentially leading to RCE. This issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2026-27494?utm_source=openai)) - CVE-2026-21858: Known as Ni8mare, this vulnerability allows unauthenticated remote code execution via exposed webhook endpoints in n8n versions earlier than 1.121.0. It carries a CVSS score of 10.0, indicating maximum severity. ([purple-ops.io](https://www.purple-ops.io/resources-hottest-cves/cve-2026-21858-ai-exploit/?utm_source=openai)) Mitigation Measures To protect against these vulnerabilities, organizations should take the following steps: 1. Immediate Patching: Upgrade n8n to the latest versions that address these vulnerabilities. For CVE-2025-68613, ensure that your instance is updated to version 1.120.4, 1.121.1, or 1.122.0. 2. Restrict Workflow Modification Access: Limit permissions to create or modify workflows to trusted users only. This measure can help prevent unauthorized exploitation of vulnerabilities like CVE-2026-27494. ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2026-27494?utm_source=openai)) 3. Disable High-Risk Nodes: As a temporary mitigation, consider disabling nodes that are susceptible to exploitation, such as the Git node, until patches can be applied. ([socradar.io](https://socradar.io/blog/cve-2026-21877-n8n-authenticated-rce/?utm_source=openai)) 4. Monitor and Audit: Regularly review audit logs and monitor for any suspicious activity that may indicate exploitation attempts. Conclusion The active exploitation of vulnerabilities like CVE-2025-68613 in the n8n platform highlights the critical importance of timely patching and vigilant security practices. Organizations utilizing n8n must prioritize updating their instances and implementing robust access controls to mitigate the risk of remote code execution and potential system compromise.
