The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw affecting n8n to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.
This vulnerability is tracked as CVE-2025-68613 (CVSS score: 9.9) and involves an expression injection case that could lead to remote code execution. This security flaw was patched in n8n versions 1.120.4, 1.121.1, and 1.122.0 in December 2025. CVE-2025-68613 is the first n8n vulnerability listed in the KEV catalog.
“N8n contains an improper control vulnerability in the workflow-based evaluation system of dynamically managed code resources that could potentially lead to remote code execution,” CISA said.
According to the administrator of the workflow automation platform, this vulnerability could be exploited by an authenticated attacker to execute arbitrary code with the privileges of the n8n process.
Successful exploitation of this flaw could result in a complete compromise of an instance, allowing the attacker to access sensitive data, modify workflows, or perform system-level operations.
At this time, details about how this vulnerability is being exploited in the wild are unknown. As of early February 2026, there are more than 24,700 unpatched instances online, with more than 12,300 in North America and more than 7,800 in Europe, according to data from the Shadowserver Foundation.
The addition of CVE-2025-68613 comes after Pillar Security disclosed two critical flaws in n8n, one of which, CVE-2026-27577 (CVSS score: 9.4), was classified as an “additional exploit” discovered in the Workflow Rating System following CVE-2025-68613.
Federal Civilian Executive Branch (FCEB) agencies have been ordered to patch their n8n instances by March 25, 2026, as required by the Binding Operating Directive (BOD 22-01) issued in November 2021.
Source link
