CISA Flags Actively Exploited n8n RCE; 24,700 Instances Exposed
Quick heads-up, team. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical n8n vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation.
The flaw is tracked as CVE-2025-68613 (CVSS 9.9). It’s an expression injection issue in n8n’s workflow expression evaluation that enables remote code execution. The n8n team patched it in December 2025 across versions 1.120.4, 1.121.1, and 1.122.0. Notably, this is the first n8n vulnerability to make it into the KEV catalog.
“N8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution,” CISA said.
According to the platform maintainers, an authenticated attacker could weaponize the issue to execute arbitrary code with the privileges of the n8n process. In practice, a successful exploit can fully compromise an instance—exposing sensitive data, modifying workflows, or triggering system-level operations.
There are no public details yet on the in-the-wild exploit path. Even so, data from the Shadowserver Foundation shows more than 24,700 unpatched instances reachable online as of early February 2026—over 12,300 in North America and 7,800 in Europe.
Separately, Pillar Security disclosed two critical n8n issues. One of them, CVE-2026-27577 (CVSS 9.4), has been classified as “additional exploits” discovered in the same workflow expression evaluation area following CVE-2025-68613.
Federal Civilian Executive Branch (FCEB) agencies have been directed to patch affected n8n instances by March 25, 2026, under Binding Operational Directive 22-01 (issued November 2021).
Practical takeaway
- If you run n8n, verify your version. Update to one of the patched releases: 1.120.4, 1.121.1, or 1.122.0.
- If you’re in the U.S. FCEB, meet the March 25, 2026 deadline.
Don’t wait for an incident to do the right thing—patch now. In sha Allah, staying proactive here will save you bigger pain later.
Reference: View article