Vulnerability Management, Patch/Configuration Management

CISA adds n8n RCE flaw to list of known exploited vulnerabilities

(Credit: Luciano Luppa – stock.adobe.com)

(Credit: Luciano Luppa – stock.adobe.com)

The Cybersecurity and Infrastructure Security Agency (CISA) added a remote code execution (RCE) flaw in the open-source workflow automation platform n8n to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday, requiring federal agencies to patch within two weeks.

The vulnerability, tracked as CVE-2025-68613, was first disclosed and patched in December 2025. The flaw could enable an authenticated attacker to execute arbitrary code with the same privileges as the n8n process, potentially leading to unauthorized data access, execution of system-level operations and a complete compromise of the affected instance, n8n said.

CVE-2025-68613 was given a CVSS score of 9.9 by n8n and 8.8 by the National Institute of Standards and Technology (NIST). It affects n8n versions starting with 0.211.0 and before the patched versions: 1.120.4, 1.121.1 and 1.122.0.

Several proof-of-concept exploits were published by SecureLayer7 shortly after the flaw’s disclosure, revealing how JavaScript expressions included in n8n workflows are evaluated server-side upon workflow execution and can access the global “this” context, which resolves to the Node.js execution environment.

Related reading:

This can allow an otherwise low-privileged attacker with the ability to create or edit n8n workflows to access privileged objects and execute arbitrary system commands, SecureLayer7 said. This flaw could be executed either through the n8n web interface or through REST API endpoints.

Censys previously reported in December that more than 100,000 n8n instances were potentially vulnerable to CVE-2025-68613. According to ShadowServer’s dashboard, 24,607 n8n instances remained vulnerable to CVE-2025-68613 as of Feb. 5, 2026.

Following its addition to the KEV, federal civilian executive branch (FCEB) agencies have until March 25, 2026, to resolve the flaw. The agency noted, “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”

Several other n8n vulnerabilities have been disclosed this year including two critical sandbox escape flaws discovered by Pillar Security, two flaws affecting the expression engine and Python Code Node reported by JFrog and two maximum-severity vulnerabilities enabling authenticated RCE and unauthenticated arbitrary file access, reported by researcher Théo Lelasseux and Cyera, respectively.

Related

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BugBuffer OverflowDisassembly

You can skip this ad in 5 seconds