CISA Adds n8n RCE Flaw to KEV as 24,700 Instances Sit Exposed

CISA added a critical n8n workflow automation vulnerability to its Known Exploited Vulnerabilities catalog on March 11, marking the first time the popular open-source platform has appeared in the federal tracking list. Over 24,700 unpatched instances remain exposed online.

TL;DR

• What happened: CISA added CVE-2025-68613 to KEV after confirming active exploitation
• Who's affected: Organizations running n8n versions prior to 1.120.4
• Severity: CVSS 9.9 - Critical
• Action required: Patch to version 1.120.4, 1.121.1, or 1.122.0 immediately

The Vulnerability

CVE-2025-68613 is an expression injection flaw in n8n's workflow expression evaluation system. An authenticated attacker can exploit the bug to execute arbitrary code with the same privileges as the n8n process itself.

Successful exploitation gives attackers complete control over the affected instance. From there, they can access sensitive workflow data, modify automation pipelines, pivot to connected systems, or execute commands directly on the underlying server.

The vulnerability affects all n8n versions before 1.120.4. Patches landed in December 2025, but adoption has been slow.

Exposure Remains High

Security researchers tracking vulnerable instances found troubling numbers. As of early March 2026:

• 24,700+ unpatched n8n servers are internet-accessible
• 12,300 of those sit in North America
• 7,800 are located in Europe
• Remaining instances spread across Asia-Pacific and other regions

n8n's popularity as a workflow automation tool makes it attractive to attackers. Organizations use it to connect APIs, automate business processes, and orchestrate data flows between systems. Compromising an n8n instance often means compromising everything it connects to. Similar risks affect other JavaScript-based server tools, as we saw with the jsPDF arbitrary file read vulnerability that exposed Node.js applications.

This isn't the first critical n8n flaw this year. We covered the Ni8mare vulnerability in February, which allowed unauthenticated attackers to take full control of exposed instances. That earlier bug (CVE-2026-21858) carried a perfect CVSS 10.0 score and remains a serious concern for organizations that haven't patched.

Why CISA Added It to KEV

The Known Exploited Vulnerabilities catalog tracks flaws that attackers are actively weaponizing in the wild. CISA doesn't add vulnerabilities speculatively. When something appears in KEV, exploitation is confirmed.

Under Binding Operational Directive 22-01, federal civilian agencies must remediate KEV entries within specified timeframes. For CVE-2025-68613, that deadline is March 25, 2026.

Private sector organizations aren't bound by the directive, but the KEV catalog serves as a prioritization guide. If CISA says attackers are exploiting something, it belongs at the top of your patch queue.

Attack Scenarios

The authentication requirement provides some protection, but n8n instances often have weak or default credentials. Attackers who obtain valid login credentials through credential theft campaigns or password spraying can then chain into full code execution.

Once inside, an attacker could:

1. Exfiltrate secrets - n8n workflows frequently contain API keys, database credentials, and OAuth tokens
2. Modify workflows - Insert malicious steps that execute during normal automation runs
3. Establish persistence - Create new admin accounts or backdoor existing workflows
4. Move laterally - Use stored credentials to access connected services

Patch Now

Organizations running n8n should upgrade to version 1.121.1 or later immediately. The fix has been available since December 2025.

If you can't patch immediately:

1. Restrict network access - n8n shouldn't be internet-facing without strong access controls
2. Audit accounts - Remove unnecessary users and enforce strong passwords
3. Enable MFA - Add a second authentication factor for all admin accounts
4. Monitor for anomalies - Watch for unusual workflow modifications or execution patterns

The combination of high severity, confirmed exploitation, and widespread exposure makes this one of the more urgent patches of the month. Don't wait for the March 25 deadline if you can act sooner.