The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a critical vulnerability in the n8n workflow automation platform. This flaw, which has been actively exploited, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CVE-2025-68613, carries a CVSS score of 9.9, highlighting its severity.
Details of the Security Flaw
The vulnerability is associated with expression injection that results in remote code execution. This serious issue was addressed by n8n in December 2025 with updates in versions 1.120.4, 1.121.1, and 1.122.0. It marks the first n8n-related vulnerability to be cataloged in the KEV list. According to CISA, the flaw involves improper control of dynamically managed code resources, potentially enabling an authenticated attacker to execute arbitrary code.
Exploitation of this vulnerability could lead to a full compromise of the n8n instance, granting attackers the capability to access sensitive information, alter workflows, or perform system-level operations.
Current Exploitation Landscape
While specific exploitation methods have not been disclosed, data from the Shadowserver Foundation reveals that over 24,700 instances remain unpatched and vulnerable, with significant concentrations in North America and Europe. This exposure underscores the urgency for organizations to implement the necessary security patches.
In response to the threat, federal agencies have been instructed to secure their systems by March 25, 2026, as per a Binding Operational Directive issued to mitigate potential risks.
Future Implications and Security Measures
The discovery of CVE-2025-68613 was followed by the identification of additional critical flaws in n8n by Pillar Security, notably CVE-2026-27577, which further exploits weaknesses in the platform’s expression evaluation system. This highlights an ongoing need for vigilance and prompt action in addressing security vulnerabilities.
Organizations using n8n are strongly advised to update their systems immediately to protect against these active threats and safeguard sensitive data.
As cyber threats continue to evolve, staying informed and proactive in patch management remains crucial for maintaining enterprise security.
