The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution flaw in the n8n workflow automation platform to its Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation as tens of thousands of unpatched instances remain internet-exposed.
Background
n8n frequently serves as a central orchestration layer connecting internal systems, cloud services, and third-party APIs. A compromise can cascade across an entire organization. With over 100 million Docker pulls and thousands of enterprises relying on the platform, n8n has become a high-value target as attackers increasingly focus on automation infrastructure.
CISA added CVE-2025-68613-a critical expression injection vulnerability leading to remote code execution-to the KEV catalog based on evidence of active exploitation. It is the first n8n vulnerability placed in the KEV catalog. n8n patched the flaw in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0.
Details
CVE-2025-68613 carries a CVSS score of 9.9 and affects n8n versions 0.211.0 through 1.120.3. The flaw allows authenticated users to supply malicious JavaScript expressions inside workflows that escape the intended sandbox and execute arbitrary code with the privileges of the n8n process. Workflow creation and editing permissions are commonly granted to developers, DevOps engineers, automation owners, and integration partners. In many environments, these permissions are shared broadly to support collaboration, increasing exposure in the event of credential compromise or insider misuse.
Data from the Shadowserver Foundation shows more than 24,700 unpatched instances remain exposed online, with over 12,300 in North America and 7,800 in Europe. Federal Civilian Executive Branch agencies must patch their n8n instances by March 25, 2026, under Binding Operational Directive BOD 22-01.
The Zerobot botnet-a Mirai-based botnet known for targeting IoT devices-has leveraged CVE-2025-68613 to compromise n8n instances. Although successful exploitation requires authentication, this barrier is not substantial. Credentials may be obtained through open registration, brute-forcing, credential stuffing, or by chaining the vulnerability with a separate authentication bypass flaw.
That second flaw, CVE-2026-21858 (dubbed "Ni8mare"), carries a maximum CVSS score of 10.0 and was disclosed by Cyera Research Labs on January 7, 2026. The vulnerability stems from content-type confusion in webhook request handling, allowing attackers to forge uploaded files, read arbitrary local files, forge administrator sessions, and execute commands on the underlying host. A public proof-of-concept exploit has been released, and an estimated 100,000 n8n servers globally remain exposed, amplifying the potential for rapid, opportunistic exploitation.
A separate threat vector has also emerged at scale. Threat actors have weaponized n8n to facilitate phishing campaigns and deliver malicious payloads, turning its trusted infrastructure into delivery vehicles for persistent remote access, according to Cisco Talos researchers Sean Gallagher and Omid Mirzaei. The volume of phishing emails containing n8n webhook URLs in March 2026 was approximately 686% higher than in January 2025.
CISA's addition of CVE-2025-68613 to the KEV catalog coincides with Pillar Security's disclosure of CVE-2026-27577 (CVSS 9.4), an additional exploit discovered in the same workflow expression evaluation system.
For enterprises that cannot immediately patch, security researchers advise a layered mitigation approach. Organizations should limit workflow creation and editing permissions to trusted users and deploy n8n in a hardened environment with restricted operating system privileges and network access. For those unable to apply the patch, n8n developers recommend restricting or disabling publicly accessible webhook and form endpoints as a temporary mitigation. Intel 471 recommends monitoring for unexpected child process spawns originating from the n8n process-particularly those executing system commands such as "id" and "whoami," or payload downloaders such as wget and curl-as indicators of active exploitation.
Outlook
n8n combines AI capabilities with business process automation and integrates with over 400 third-party solutions. A successful compromise could affect enterprise environments broadly, and targeting AI-powered workflow automation platforms introduces a new attack vector that may create additional opportunities for data breaches and malicious code distribution. Enterprises should treat unpatched n8n instances as critical remediation priorities, establish incident-response playbooks specific to automation platform compromise, and audit the breadth of credentials and API keys accessible to workflow processes to contain potential blast radius.
