Critical Security Flaw in n8n Workflow Automation Platform Actively Exploited, CISA Warns

In a stark reminder of the ever-evolving cybersecurity landscape, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a severe vulnerability in the popular n8n workflow automation platform. The flaw, now actively being exploited in the wild, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling a heightened risk for organizations worldwide.

The Vulnerability: A Remote Code Execution Nightmare

Tracked as CVE-2025-68613, this critical vulnerability carries a CVSS score of 9.9, placing it in the “critical” category. The flaw stems from an expression injection vulnerability within n8n’s workflow expression evaluation system, which allows attackers to execute arbitrary code remotely. In simpler terms, this means a malicious actor could take complete control of an n8n instance, potentially leading to data breaches, workflow manipulation, or even full system compromise.

The vulnerability was patched by n8n in December 2025, with fixes released in versions 1.120.4, 1.121.1, and 1.122.0. However, the fact that it has now been added to CISA’s KEV catalog underscores the urgency of the situation. This is the first n8n vulnerability to make it onto the list, highlighting its severity and the active threat it poses.

How the Flaw Works

According to CISA, the vulnerability arises from “improper control of dynamically managed code resources” within n8n’s workflow expression evaluation system. This flaw allows authenticated attackers to execute arbitrary code with the same privileges as the n8n process. In practical terms, this could enable an attacker to:

• Access sensitive data stored within the n8n instance.
• Modify or delete workflows, disrupting critical business operations.
• Execute system-level commands, potentially compromising the entire infrastructure.

The maintainers of n8n have confirmed that the vulnerability could be weaponized by an authenticated attacker, making it a significant concern for organizations using the platform.

The Scope of the Threat

While CISA has not disclosed specific details about how the vulnerability is being exploited in the wild, data from the Shadowserver Foundation paints a concerning picture. As of early February 2026, there are over 24,700 unpatched n8n instances exposed online. Of these, more than 12,300 are located in North America, and 7,800 are in Europe. This widespread exposure increases the likelihood of successful attacks, particularly for organizations that have not yet applied the necessary patches.

Additional Vulnerabilities Discovered

The situation is further complicated by the discovery of two additional critical flaws in n8n by Pillar Security. One of these, CVE-2026-27577 (CVSS score: 9.4), has been classified as an “additional exploit” discovered in the workflow expression evaluation system following CVE-2025-68613. This highlights the ongoing challenges in securing complex software systems and the need for continuous vigilance.

Federal Agencies Under Pressure

In response to the threat, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies patch their n8n instances by March 25, 2026. This directive is part of a Binding Operational Directive (BOD 22-01) issued in November 2021, which requires federal agencies to address known vulnerabilities within specified timeframes. The urgency of this mandate underscores the critical nature of the flaw and the potential risks it poses to government operations.

What You Should Do

For organizations using n8n, the message is clear: patch immediately. If you are running an affected version of n8n, update to one of the patched versions (1.120.4, 1.121.1, or 1.122.0) as soon as possible. Additionally, ensure that your n8n instances are not exposed to the internet unless absolutely necessary, and implement robust access controls to limit the risk of unauthorized access.

The Bigger Picture

This incident serves as a stark reminder of the importance of timely software updates and proactive cybersecurity measures. As workflow automation platforms like n8n become increasingly integral to business operations, they also become attractive targets for cybercriminals. Organizations must remain vigilant, stay informed about emerging threats, and prioritize the security of their digital infrastructure.

In the words of CISA, “Cybersecurity is a shared responsibility.” By taking swift action to address vulnerabilities like CVE-2025-68613, we can collectively reduce the risk of cyberattacks and protect our critical systems from exploitation.

Tags: #Cybersecurity #n8n #CVE2025-68613 #RemoteCodeExecution #CISA #Vulnerability #WorkflowAutomation #DataBreach #PatchNow #CyberThreat #CriticalVulnerability #SecurityAlert #Hack #Exploit #TechNews #CyberAttack #SecurityFlaw #SoftwareVulnerability #DigitalSecurity #CyberRisk

Viral Phrases: “Patch immediately or risk total compromise,” “24,700+ unpatched instances exposed online,” “Critical flaw actively exploited in the wild,” “Federal agencies under fire to secure n8n,” “Expression injection vulnerability leads to remote code execution,” “Workflow automation platform under siege,” “CISA adds n8n flaw to KEV catalog,” “CVSS score 9.9: Critical severity,” “Authenticated attackers can execute arbitrary code,” “Shadowserver Foundation data reveals widespread exposure,” “Pillar Security uncovers additional critical flaws,” “March 25, 2026: Deadline for federal agencies,” “Binding Operational Directive mandates action,” “Cybersecurity is a shared responsibility,” “Stay informed, stay secure,” “The clock is ticking on n8n security,” “Don’t wait—update now!”

,