CISA has added a critical n8n vulnerability to its KEV catalog after evidence of active exploitation emerged, with over 24,700 unpatched instances still exposed online.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in the popular workflow automation platform n8n to its Known Exploited Vulnerabilities (KEV) catalog, marking the first time a vulnerability in this software has been included in the list of actively exploited flaws.
Critical Vulnerability Allows Remote Code Execution
The vulnerability, tracked as CVE-2025-68613, carries a CVSS score of 9.9 out of 10, indicating its severe nature. The flaw stems from an expression injection vulnerability in n8n's workflow expression evaluation system that allows for remote code execution (RCE).
According to CISA, "N8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution." The security shortcoming was patched by n8n in December 2025 across versions 1.120.4, 1.121.1, and 1.122.0.
Active Exploitation and Widespread Exposure
While CISA cited evidence of active exploitation, specific details about how attackers are weaponizing this vulnerability remain undisclosed. What is clear is the scale of exposure: data from the Shadowserver Foundation reveals that over 24,700 unpatched n8n instances remain exposed online as of early February 2026.
Geographic distribution shows significant concentration in North America, with more than 12,300 exposed instances, followed by Europe with approximately 7,800 instances. This widespread exposure creates a substantial attack surface for malicious actors.
Security Implications and Attack Scenarios
An authenticated attacker could exploit this vulnerability to execute arbitrary code with the privileges of the n8n process. Successful exploitation could lead to complete compromise of the affected instance, enabling attackers to:
- Access sensitive data processed by workflows
- Modify existing workflows to introduce malicious logic
- Execute system-level operations on the host machine
- Potentially pivot to other systems within the network
Additional Vulnerabilities Discovered
Following the disclosure of CVE-2025-68613, Pillar Security identified two additional critical flaws in n8n. One of these, CVE-2026-27577 with a CVSS score of 9.4, has been classified as "additional exploits" discovered in the workflow expression evaluation system. This suggests that the initial vulnerability may have exposed deeper architectural issues within n8n's code evaluation mechanisms.
Federal Mandates and Patching Deadlines
Federal Civilian Executive Branch (FCEB) agencies have been ordered to patch their n8n instances by March 25, 2026, as mandated by Binding Operational Directive (BOD) 22-01, which was issued in November 2021. This directive requires federal agencies to remediate identified vulnerabilities within specified timeframes to reduce the risk of exploitation.
Context and Industry Response
The addition of CVE-2025-68613 to CISA's KEV catalog underscores the growing concern around vulnerabilities in workflow automation platforms. As organizations increasingly rely on tools like n8n to orchestrate complex business processes, the security of these platforms becomes critical to overall enterprise security.
Security experts recommend that organizations using n8n immediately verify their installation version and apply the necessary patches if running affected versions. For those unable to immediately patch, implementing network segmentation, access controls, and monitoring for suspicious workflow activity can provide interim protection.
The widespread exposure of over 24,700 instances highlights the challenge of vulnerability management at scale, particularly for open-source and widely deployed tools where update adoption can lag significantly behind patch availability.
Comments
Please log in or register to join the discussion