CISA has added a near-perfect 9.9 CVSS vulnerability in n8n workflow automation platform to its KEV list after confirming active exploitation, affecting over 100,000 users.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about active exploitation of a critical vulnerability in n8n, a popular open-source workflow automation platform. The vulnerability, tracked as CVE-2025-68613, has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, signaling that federal agencies are under active threat from malicious actors exploiting this flaw.
The Vulnerability and Its Severity
The vulnerability carries a near-perfect CVSS score of 9.9, indicating its critical nature and the severe impact it could have on affected systems. CVE-2025-68613 exists in n8n's expression evaluation engine, which is fundamental to the platform's ability to automate operational tasks across various systems. Under specific conditions, authenticated attackers can inject malicious payloads into expressions that execute without proper validation.
According to n8n's security advisory, successful exploitation could lead to complete compromise of the affected instance. This includes unauthorized access to sensitive data, modification of existing workflows, and execution of system-level operations. In practical terms, this means that even an attacker with only low-privilege access could potentially take full control of an n8n instance, access stored secrets like passwords and API keys, and manipulate workflows to distribute malicious code throughout connected systems.
Scope of the Problem
When the vulnerability was first disclosed in December 2025, security firm Resecurity estimated that of n8n's approximately 230,000 active users, more than 103,000 appeared to be vulnerable. This represents a significant portion of the platform's user base, including many organizations that rely on n8n for critical business automation.
n8n patched the vulnerability in version 1.122.0, released in December 2025. However, CISA's decision to add this vulnerability to the KEV list suggests that many organizations, including federal agencies, have not yet applied the necessary updates despite the patch being available for several months.
Timeline of Related Vulnerabilities
This latest warning comes amid a series of security issues affecting n8n over recent months. Following the initial disclosure of CVE-2025-68613, the project maintainers have been dealing with multiple critical vulnerabilities:
CVE-2026-21858 (CVSS 10.0): Discovered by Cyera researchers and dubbed "ni8mare," this authentication-bypass vulnerability allowed attackers to execute arbitrary code without any authentication, thanks to improper handling of webhooks.
CVE-2026-25049 (CVSS 9.4): A collection of vulnerabilities disclosed in early February that provided additional exploitation vectors in the expression evaluation engine, similar to CVE-2025-68613.
These successive vulnerabilities have created a challenging security landscape for n8n users and maintainers, requiring multiple patches and security updates in a short timeframe.
Federal Agency Response Required
CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies must patch this vulnerability by March 25, 2026. This directive underscores the severity of the threat and the potential for significant damage if federal systems remain vulnerable.
The KEV catalog serves as CISA's authoritative list of known, actively exploited vulnerabilities that pose significant risk to federal networks. By adding CVE-2025-68613 to this list, CISA is signaling that this vulnerability represents a credible threat to national security and critical infrastructure.
Broader Implications for Workflow Automation
This incident highlights the growing security challenges in the workflow automation space as organizations increasingly rely on these platforms to connect critical systems and automate sensitive operations. The concentration of privileged access and system integration capabilities in workflow automation tools makes them attractive targets for attackers.
For organizations using n8n or similar platforms, this situation emphasizes the importance of:
- Maintaining rigorous patch management processes
- Implementing network segmentation for automation platforms
- Regularly auditing workflow configurations and access controls
- Monitoring for suspicious activity in automation systems
- Considering the security implications of third-party integrations
Moving Forward
As workflow automation continues to evolve and expand in enterprise environments, security must remain a top priority. The n8n vulnerabilities demonstrate how a single flaw in a core component like expression evaluation can have cascading effects across connected systems.
Organizations should not only apply the available patches but also review their overall security posture for automation platforms. This includes assessing the principle of least privilege, implementing proper logging and monitoring, and developing incident response plans specific to workflow automation systems.
The active exploitation of CVE-2025-68613 serves as a stark reminder that even well-maintained open-source projects can harbor critical vulnerabilities, and that timely patching is essential to maintaining a strong security posture in an increasingly interconnected digital environment.
Comments
Please log in or register to join the discussion