The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Wednesday added a essential security flaw impacting n8n to its Recognized Exploited Vulnerabilities (KEV) catalog, based mostly on proof of lively exploitation.
The vulnerability, tracked as CVE-2025-68613 (CVSS rating: 9.9), considerations a case of expression injection that results in distant code execution. The security shortcoming was patched by n8n in December 2025 in variations 1.120.4, 1.121.1, and 1.122.0. CVE-2025-68613 is the primary n8n vulnerability to be positioned within the KEV catalog.
“N8n incorporates an improper management of dynamically managed code sources vulnerability in its workflow expression analysis system that enables for distant code execution,” CISA mentioned.
In line with the maintainers of the workflow automation platform, the vulnerability could possibly be weaponized by an authenticated attacker to execute arbitrary code with the privileges of the n8n course of.
Profitable exploitation of the flaw may lead to a whole compromise of the occasion, enabling the attacker to entry delicate knowledge, modify workflows, or execute system-level operations.
There are at the moment no particulars on how the vulnerability is being exploited within the wild. Data from the Shadowserver Basis reveals that there are greater than 24,700 unpatched cases uncovered on-line, with greater than 12,300 of them positioned in North America and seven,800 in Europe as of early February 2026.
The addition of CVE-2025-68613 comes as Pillar Safety disclosed two essential flaws in n8n, one in all which – CVE-2026-27577 (CVSS rating: 9.4) – has been labeled as “extra exploits” found within the workflow expression analysis system following CVE-2025-68613.
Federal Civilian Govt Department (FCEB) businesses have been ordered to patch their n8n cases by March 25, 2026, as mandated by a Binding Operational Directive (BOD 22-01) issued in November 2021.
