CISA Flags Actively Exploited n8n RCE Bug as 24,700 Instances Remain Exposed

Based on proof of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a serious security hole that affects n8n to its Known Exploited Vulnerabilities (KEV) list on Wednesday. The CVE-2025-68613 vulnerability (CVSS score: 9.9) is a case of expression injection that lets code run on a remote machine. In December 2025, n8n fixed the security flaw in versions 1.120.4, 1.121.1, and 1.122.0.

The first n8n vulnerability to be added to the KEV catalog is CVE-2025-68613. "N8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution," CISA said.

The people who run the workflow automation platform say that an authenticated attacker could use the flaw to run any code with the same permissions as the n8n process. If the flaw is successfully exploited, the instance could be completely compromised, giving the attacker access to sensitive data, the ability to change workflows, or the ability to run system-level operations. There are no details right now on how the vulnerability is being used in the real world.

As of early February 2026, the Shadowserver Foundation says that there are more than 24,700 unpatched instances online. More than 12,300 of these are in North America and 7,800 are in Europe.

Pillar Security revealed two serious flaws in n8n, one of which—CVE-2026-27577 (CVSS score: 9.4)—is now called "additional exploits" found in the workflow expression evaluation system after CVE-2025-68613. A Binding Operational Directive (BOD 22-01) from November 2021 told Federal Civilian Executive Branch (FCEB) agencies to fix their n8n instances by March 25, 2026.