CISA warns max-severity n8n bug is being exploited in the wild

Steven

CISA warns max-severity n8n bug is being exploited in the wild

Summary

The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a maximum-severity remote code execution (RCE) vulnerability in the n8n workflow automation platform (CVE-2025-68613), rated 9.9. The flaw allows authenticated attackers to inject and execute expressions, potentially enabling full compromise of an n8n instance, theft of secrets and modification of workflows.

n8n released a patch in v1.122.0, but CISA added the issue to its Known Exploited Vulnerabilities (KEV) list after reports that many installations remain vulnerable. CISA has instructed federal civilian executive branch (FCEB) agencies to apply the patch by 25 March 2026.

This incident follows several other high-severity n8n vulnerabilities disclosed since December, including an unauthenticated 10.0 RCE (CVE-2026-21858) and additional expression-evaluation issues tracked under CVE-2026-25049.

Key Points

  • CISA confirmed real-world exploitation of CVE-2025-68613 (n8n RCE), scored CVSS 9.9.
  • The flaw lets an authenticated user inject expressions that are executed without proper validation, risking full instance compromise.
  • n8n patched the vulnerability in v1.122.0, but large numbers of users reportedly remain vulnerable.
  • CISA ordered FCEB agencies to patch by 25 March 2026 to mitigate active attacks.
  • n8n has faced multiple serious vulnerabilities recently, including CVE-2026-21858 (10.0, unauthenticated RCE) and CVE-2026-25049 (collection of high-severity issues).

Context and Relevance

n8n is widely used to automate operational tasks across systems; compromising an instance can expose secrets, allow supply-chain tampering and let attackers execute system-level commands. The combination of a near-perfect CVSS score and confirmed exploitation raises the urgency for organisations running n8n — especially those exposing instances to the internet or using low-privilege accounts for automations.

This alert sits alongside an industry trend: automation and integration platforms are lucrative targets because they often hold credentials and can act as pivot points. The repeated discovery of serious expression-evaluation flaws in n8n highlights the broader risk in platforms that evaluate user-supplied expressions or code.

Why should I read this

Short version: if you run n8n, stop what you’re doing and check your version. This isn’t theoretical — attackers are already using the bug. Patch to v1.122.0 (or later) and audit accounts and workflows now, otherwise your automation server could become a full-blown compromise avenue.

Author style

Punchy: this is urgent and practical. The story matters because the vulnerability is high-scoring, actively exploited and affects a popular automation tool — which means real risk to organisations that use n8n for integrations, credentials storage or workflow execution. If you’re responsible for security or ops, the details here are worth acting on immediately.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/03/12/cisa_n8n_rce/