CISA says n8n critical bug exploited in real-world attacks • The Register

The US Cybersecurity and Infrastructure Safety Company (CISA) has confirmed that hackers are exploiting a max-severity distant code execution (RCE) vulnerability in workflow automation platform n8n.

CISA urged all federal civilian govt department (FCEB) companies to patch CVE-2025-68613 without delay as a result of it carries a near-perfect 9.9 vulnerability rating.

The bug was first disclosed in December, and distributors similar to Resecurity mentioned that of n8n’s roughly 230,000 energetic customers, greater than 103,000 gave the impression to be weak.

CVE-2025-68613 can result in RCE on the open supply workflow automation platform, with potential penalties starting from easy information theft to full-blown provide chain compromise.

The vulnerability impacts n8n and its expression analysis engine, that are generally used to automate operational duties throughout programs.

n8n’s advisory states that, beneath sure situations, authenticated attackers can inject payloads into expressions which are then executed with out validation.

“Profitable exploitation could result in full compromise of the affected occasion, together with unauthorized entry to delicate information, modification of workflows, and execution of system-level operations,” it mentioned.

In plain phrases, it signifies that an attacker with entry to a low-privilege account may assume management of your entire n8n occasion and abuse it to probably entry secrets and techniques similar to passwords or push malicious code by modifying workflows, amongst different nastiness.

n8n patched the bug in v1.122.0, however given CISA’s notice including it to the KEV listing, it appears as if some orgs haven’t been upgrading.

FCEB companies have till March 25 to make sure they’re working the secure model.

The venture maintainers have endured some tough weeks since CVE-2025-68613 was first disclosed. Though the patch for the 9.9 vulnerability labored, the venture was compelled to spend time devising different fixes after Cyera researchers notified it of a ten.0 severity bug they coined “ni8mare.”

CVE-2026-21858 (10.0) is one other RCE bug disclosed firstly of the 12 months, though this one allowed attackers free rein of an n8n occasion with out the necessity for authentication, due to improper dealing with of webhooks.

Then got here a set of vulnerabilities in early February tracked beneath the only CVE identifier CVE-2026-25049 (CVSS 9.4).

n8n mentioned these flaws extra carefully resembled CVE-2025-68613, offering extra methods to take advantage of the platform’s expression analysis engine.

“Further exploits within the expression analysis of n8n have been recognized and patched following CVE-2025-68613,” n8n said in an advisory. 

“An authenticated consumer with permission to create or modify workflows may abuse crafted expressions in workflow parameters to set off unintended system command execution on the host working n8n.” ®