The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding directive, compelling federal civilian agencies to urgently patch a critical remote code execution (RCE) vulnerability in the n8n workflow automation platform. Tracked as CVE-2025-68613, this flaw is confirmed to be under active exploitation by threat actors. The order, issued on Wednesday, adds the vulnerability to CISA's Known Exploited Vulnerabilities (KEV) catalog, requiring agencies to apply the available security updates by a specified deadline to mitigate the immediate risk.
n8n is a powerful, open-source workflow automation tool that has become integral to modern AI development and IT operations, particularly for automating complex data ingestion and processing pipelines. Its popularity is significant, with over 50,000 weekly downloads on the npm registry and more than 100 million pulls on Docker Hub. This widespread adoption, combined with its core function, makes it a high-value target. As an automation hub, n8n instances frequently store and manage a vast array of highly sensitive credentials, including API keys, database passwords, OAuth tokens, and cloud service access secrets. A compromise of an n8n server can therefore provide attackers with a treasure trove of data and a potent launchpad for further network intrusion.
The vulnerability, CVE-2025-68613, stems from an "improper control of dynamically managed code resources" within n8n's workflow expression evaluation system. In practical terms, this flaw allows an authenticated attacker—someone with valid user credentials—to execute arbitrary code on a vulnerable n8n server. This code runs with the privileges of the n8n process itself, which could grant an attacker full control over the instance. The n8n development team warns that successful exploitation could lead to a complete system compromise, enabling unauthorized access to all stored sensitive data, malicious modification of automated workflows, and the execution of system-level commands on the underlying host.
The n8n team addressed this critical security hole in December 2024 with the release of version 1.122.0. CISA's directive now formalizes and accelerates the patching process for the federal government, but the warning extends to all organizations using the platform. Security administrators in both public and private sectors are strongly advised to immediately upgrade their n8n deployments to version 1.122.0 or later. Given the platform's role in handling critical authentication secrets, any delay in patching poses a severe risk, potentially allowing attackers to steal credentials, pivot to other systems, and disrupt essential automated business processes.
