The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical security flaw affecting the workflow automation tool n8n to its Known Exploited Vulnerabilities (KEV) catalog, signaling a significant development for enterprise security. This move comes after evidence emerged indicating the vulnerability is being actively exploited in the wild.
Critical n8n Vulnerability Added to CISA’s KEV Catalog
CISA’s inclusion of the n8n vulnerability, tracked as CVE-2025-68613, underscores the severity of the issue. The vulnerability, which boasts a CVSS score of 9.9, stems from an expression injection flaw that can lead to remote code execution. n8n, the company behind the platform, released patches in December 2025 for versions 1.120.4, 1.121.1, and 1.122.0 to address this critical security gap. This marks the first time an n8n vulnerability has been recognized in the KEV catalog.
The cybersecurity agency described the issue as an “improper control of dynamically managed code resources” within n8n’s workflow expression evaluation system. This flaw creates an opening that malicious actors can exploit to execute arbitrary code on a target system remotely.
According to n8n’s maintainers, the vulnerability can be weaponized by an authenticated attacker. This means an attacker would first need to gain some level of access to the n8n instance before they could leverage the flaw. Once exploited, the attacker could run code with the same privileges as the n8n process itself, potentially leading to a complete compromise of the affected instance.
Implications of CVE-2025-68613 Exploitation
The consequences of a successful exploit are far-reaching. Attackers could gain unauthorized access to sensitive data stored within the n8n workflows, modify existing automation processes to suit their malicious objectives, or even execute system-level operations on the underlying infrastructure. This highlights the critical need for organizations to promptly apply the available patches.
Details regarding the specific methods currently being used by threat actors to exploit CVE-2025-68613 in the wild have not been publicly disclosed. However, data collected by the Shadowserver Foundation has revealed a concerning number of unpatched n8n instances exposed online. As of early February 2026, more than 24,700 instances were found to be vulnerable, with a significant portion, over 12,300, located in North America and another 7,800 in Europe.
Additional Vulnerabilities Disclosed
The addition of CVE-2025-68613 to the KEV catalog coincides with further disclosures from Pillar Security. This security firm recently identified two additional critical flaws within n8n. One of these, designated CVE-2026-27577 and carrying a CVSS score of 9.4, has been labeled as an “additional exploit” discovered within the same workflow expression evaluation system, following the initial investigation into CVE-2025-68613.
In response to these escalating threats, CISA has issued a Binding Operational Directive (BOD 22-01), originally established in November 2021. Federal Civilian Executive Branch (FCEB) agencies are now mandated to patch their n8n instances by March 25, 2026, to mitigate these identified risks and enhance their overall cybersecurity posture.
The ongoing discoveries and CISA’s actions underscore the dynamic nature of cybersecurity threats. Organizations using n8n must remain vigilant, prioritize patching, and monitor for further alerts and advisories from n8n and CISA to safeguard their systems against evolving exploits. The deadline for federal agencies provides a clear benchmark, but all organizations employing this workflow automation tool should act with similar urgency.