The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has escalated its warning regarding a severe vulnerability in the popular workflow automation platform n8n. The flaw, cataloged as CVE-2025-68613 and carrying a near-maximum CVSS score of 9.9, has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog due to confirmed active exploitation in the wild. This designation marks the first time an n8n vulnerability has been placed on this high-priority list, signaling an urgent and widespread threat. The vulnerability is an expression injection flaw within n8n's workflow expression evaluation system, which can be leveraged by an authenticated attacker to achieve remote code execution (RCE) with the privileges of the underlying n8n process.
Exploitation of this vulnerability grants an attacker complete control over the affected n8n instance. This level of access is catastrophic, enabling threat actors to exfiltrate sensitive data processed by automated workflows, surreptitiously modify or sabotage business logic, and execute arbitrary system-level commands on the host. The maintainers of n8n released patches for this critical issue in December 2025 across versions 1.120.4, 1.121.1, and 1.122.0. Despite the availability of fixes, telemetry from the Shadowserver Foundation paints a concerning picture: as of early February 2026, over 24,700 internet-exposed n8n instances remain unpatched and vulnerable. Geographically, North America hosts the largest share of these vulnerable systems (over 12,300), followed by Europe (approximately 7,800).
The urgency of the situation is further underscored by a related disclosure from Pillar Security. Researchers identified two additional critical flaws in n8n, one of which—tracked as CVE-2026-27577 with a CVSS score of 9.4—is described as involving "additional exploits" discovered within the same workflow expression evaluation system that was compromised by CVE-2025-68613. This suggests that the initial patch may not have fully addressed the underlying architectural weakness, or that attackers are finding new vectors within the same vulnerable component. In response to the active threats, CISA has mandated all Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches to their n8n deployments by March 25, 2026, under the authority of Binding Operational Directive (BOD) 22-01.
The widespread exposure of n8n instances, combined with the severe consequences of exploitation, creates a significant attack surface for both targeted and opportunistic threat actors. Organizations using n8n for business process automation, data integration, or as a component in AI agent workflows must treat this with the highest priority. Immediate action is required: administrators must verify their n8n version, apply the relevant security updates immediately, and ensure instances are not unnecessarily exposed to the public internet. Furthermore, this incident highlights the critical security risks inherent in low-code/no-code and workflow automation platforms, where powerful functionality can sometimes outpace robust security controls, necessitating rigorous vulnerability management and network segmentation.
