The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that hackers are exploiting a max-severity remote code execution (RCE) vulnerability in workflow automation platform n8n.
CISA urged all federal civilian executive branch (FCEB) agencies to patch CVE-2025-68613 at once because it carries a near-perfect 9.9 vulnerability score.
The bug was first disclosed in December, and vendors such as Resecurity said that of n8n’s roughly 230,000 active users, more than 103,000 appeared to be vulnerable.
CVE-2025-68613 can lead to RCE on the open source workflow automation platform, with potential consequences ranging from simple data theft to full-blown supply chain compromise.
The vulnerability affects n8n and its expression evaluation engine, which are commonly used to automate operational tasks across systems.
n8n’s advisory states that, under certain conditions, authenticated attackers can inject payloads into expressions that are then executed without validation.
“Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations,” it said.
In plain terms, it means that an attacker with access to a low-privilege account could assume control of the entire n8n instance and abuse it to potentially access secrets such as passwords or push malicious code by modifying workflows, among other nastiness.
n8n patched the bug in v1.122.0, but given CISA’s notice adding it to the KEV list, it seems as though some orgs have not been upgrading.
FCEB agencies have until March 25 to ensure they’re running the safe version.
The project maintainers have endured some difficult weeks since CVE-2025-68613 was first disclosed. Although the patch for the 9.9 vulnerability worked, the project was forced to spend time devising other fixes after Cyera researchers notified it of a 10.0 severity bug they coined “ni8mare.”
CVE-2026-21858 (10.0) is another RCE bug disclosed at the start of the year, although this one allowed attackers free rein of an n8n instance without the need for authentication, thanks to improper handling of webhooks.
Then came a collection of vulnerabilities in early February tracked under the single CVE identifier CVE-2026-25049 (CVSS 9.4).
n8n said these flaws more closely resembled CVE-2025-68613, providing additional ways to exploit the platform’s expression evaluation engine.
“Additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613,” n8n said in an advisory.
“An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.” ®