CISA added CVE-2025-68613 to its Known Exploited Vulnerabilities catalog on March 11, 2026 — marking the first time an n8n flaw has earned that designation. Patches have been available since December 2025, yet more than 24,700 instances remain exposed and actively targeted. This is the full picture of what went wrong, how attackers are using it, and what it means for every organization running workflow automation infrastructure.
Workflow automation platforms have quietly become some of the most privileged software running inside modern organizations. They connect cloud accounts, databases, APIs, and internal services — and they do it using stored credentials that are trusted by design. When a critical flaw lands in that layer of infrastructure, the consequences extend far beyond the application itself. CVE-2025-68613 in n8n is exactly that kind of vulnerability, and its confirmed active exploitation makes it one of the more operationally significant disclosures of early 2026.
What n8n Is and Why It Is a High-Value Target
n8n is an open-source, self-hostable workflow automation platform built around a visual node-based editor. It serves as a connectivity layer between SaaS tools, internal databases, cloud services, and third-party APIs, enabling both technical and non-technical users to build automated pipelines without writing traditional application code. The platform has accumulated more than 100 million Docker pulls and serves millions of users across thousands of organizations worldwide, with significant concentrations in the United States, Germany, France, Brazil, and Singapore.
What makes n8n strategically attractive to attackers is not the platform itself — it is what the platform holds access to. A deployed n8n instance typically stores OAuth tokens, cloud provider keys, database passwords, and API credentials in a single location. Workflows routinely run with elevated permissions because they need those permissions to do their job. A successful compromise does not just hand an attacker control of the automation tool; it hands them a pre-authenticated pivot point into every system that tool was connected to.
"A compromised n8n instance doesn't just mean losing one system — it means handing attackers the keys to the kingdom." — Cyera Research Labs
The platform also supports execution of custom JavaScript and Python code directly within workflows. That capability is precisely where CVE-2025-68613 lives.
CVE-2025-68613: The Vulnerability Explained
CVE-2025-68613 carries a CVSS 3.1 score of 9.9, assigned by the GitHub CNA. CISA characterizes it as an improper control of dynamically managed code resources vulnerability within n8n's workflow expression evaluation system. In plain terms: under certain conditions, expressions supplied by authenticated users during workflow configuration are evaluated in a context that is not adequately isolated from the underlying Node.js runtime, allowing those expressions to escape the intended sandbox and execute arbitrary code on the host.
The flaw affects n8n versions starting at 0.211.0 and extending up to, but not including, the patched releases. n8n addressed the issue in December 2025 across versions 1.120.4, 1.121.1, and 1.122.0. The exploitation path requires a valid session — meaning the attacker must already be authenticated. That single prerequisite has led some to underestimate the severity, but the authentication barrier is lower than it appears in practice.
The authentication requirement is easily bypassed in several real-world scenarios. n8n instances with open registration allow any visitor to create an account. Shared multi-user deployments are common in enterprise environments where many employees have workflow editor access. Phishing or credential stuffing against a known n8n instance produces a valid session. And public proof-of-concept exploit code has been available since shortly after the December 2025 disclosure, lowering the technical barrier further.
Security firm SecureLayer7 documented the exploitation mechanics in detail, noting that malicious expressions can be delivered through multiple interfaces: the web UI during workflow creation, REST API endpoints for workflow creation and update, and webhook-triggered workflows. The code runs with the same operating system privileges as the n8n process, which in misconfigured deployments may run as root.
"N8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution." — CISA KEV Catalog entry for CVE-2025-68613
The patch introduces a FunctionThisSanitizer that intercepts the this context available to evaluated expressions, replacing the actual Node.js process object with an empty object. Before the patch, a crafted expression such as (function() { return this.process; })() returned the real process handle, granting full runtime access. After the patch, the same call returns an empty object. It is a targeted fix that addresses the specific bypass without fundamentally restructuring the expression engine — a factor that contributed to follow-on vulnerabilities being discovered in the same subsystem.
The fixes released in December 2025 (versions 1.120.4, 1.121.1, and 1.122.0) address CVE-2025-68613 specifically. Organizations should verify they are running a version that also addresses the cluster of follow-on CVEs disclosed in early 2026. The current stable releases as of this writing are 1.123.10, 2.1.5, 2.2.4, and 2.3.0.
The Broader n8n Vulnerability Cluster
CVE-2025-68613 does not stand alone. The months following its December 2025 disclosure produced a cascade of additional critical findings, turning n8n into one of the most heavily scrutinized open-source automation platforms in recent memory. Understanding the full cluster is essential for accurate risk assessment.
CVE-2026-21858 — "Ni8mare" (CVSS 10.0): Discovered by security researcher Dor Attias of Cyera Research Labs and reported to n8n on November 9, 2025, this vulnerability was patched quietly in version 1.121.0 on November 18, 2025, and publicly disclosed on January 7, 2026. Unlike CVE-2025-68613, it requires no authentication whatsoever. The flaw lives in how n8n processes webhook requests: a content-type confusion bug in the formWebhook() function allows an attacker to override an internal JSON object controlling file paths, enabling arbitrary local file reads from the server. In the right workflow configuration, that file read cascades into administrator session forgery and ultimately into code execution. Cyera's writeup demonstrated the full chain, and an independent proof-of-concept by researcher Valentin Lobstein — which chains CVE-2026-21858 with CVE-2025-68613 for unauthenticated RCE — was published the same day.
Rapid7's research arm noted that successful exploitation of Ni8mare requires a specific workflow configuration: a publicly accessible form component with file upload capability and no content-type validation, plus a mechanism to retrieve local files from the server. Horizon3.ai, after auditing customer environments, found no instances meeting the full exploitation prerequisite in their customer base, even among systems running vulnerable version numbers. The severity rating reflects maximum theoretical impact; real-world exploitability is configuration-dependent.
CVE-2026-21877 (CVSS 9.9): An authenticated RCE vulnerability affecting both self-hosted and cloud versions of n8n, impacting versions 0.123.0 through 1.121.3. This flaw enables remote code execution via arbitrary file write operations and was disclosed in early 2026 alongside the Ni8mare research.
CVE-2025-68668: An authenticated vulnerability allowing arbitrary OS command execution via the Pyodide-based Python Code node in n8n versions between 1.0.0 and 2.0.0. JFrog researchers identified this alongside a related expression engine flaw. Depending on the deployment's Python execution context, this can serve as a secondary exploitation pathway after an initial foothold is established.
CVE-2025-68697: An authenticated vulnerability enabling arbitrary file read and write within the n8n process context when the Code node is running in legacy non-task-runner JavaScript execution mode. It affects versions 1.2.1 up to 2.0.0, though default configurations in that range restrict access to the .n8n directory, narrowing the exploitable surface in standard deployments.
Rapid7 documented that CVE-2026-21858, CVE-2025-68613, CVE-2025-68668, CVE-2025-68697, and CVE-2026-21877 can be chained together, with the unauthenticated file read vulnerability serving as the initial access vector and the authenticated RCE flaws serving as escalation paths. The result is a complete attack chain from zero authentication to full system compromise on vulnerable configurations.
"N8n security woes roll on as new critical flaws bypass December fix." — The Register, March 2026
Exposure Data and the Patching Gap
The gap between patch availability and deployment tells the operational story of this vulnerability. Censys reported in December 2025 that more than 100,000 n8n instances were potentially vulnerable to CVE-2025-68613 at the time of disclosure. Resecurity, examining n8n's roughly 230,000 active users, estimated more than 103,000 appeared to be running affected versions. By February 5, 2026 — nearly two months after patches were released — ShadowServer's dashboard recorded 24,607 instances still exposed to CVE-2025-68613.
That figure represents progress: the exposed count dropped from six figures to roughly 25,000 over the patching window. But it also illustrates the persistent tail-end problem in vulnerability management. The instances that remain unpatched two months post-disclosure tend to be those with the least mature update processes: organizations with no automated patching, self-hosted instances maintained by small teams without dedicated security functions, and deployments that were stood up quickly for a project and never formally transferred to IT operations.
The exposure was geographically distributed, with significant concentrations in the United States, Germany, France, Brazil, and Singapore. For organizations in regulated sectors — healthcare, finance, critical infrastructure — an unpatched n8n instance that stores API credentials and processes sensitive data represents a compliance exposure as well as a technical one.
CISA's KEV addition on March 11, 2026 set a remediation deadline of March 25, 2026 for all Federal Civilian Executive Branch agencies, as required under Binding Operational Directive 22-01 (BOD 22-01). The agency stated that this class of vulnerability represents a frequent attack vector for malicious cyber actors and poses significant risk to the federal enterprise. The tight 14-day remediation window signals the agency's assessment that exploitation is not merely theoretical — it is ongoing.
Detection and Immediate Remediation
The primary remediation for CVE-2025-68613 is upgrading to a patched version of n8n. For organizations addressing the full vulnerability cluster, the current stable release line (1.123.x, 2.1.x, 2.2.x, 2.3.x) addresses all five CVEs. Cloud-hosted n8n instances were patched automatically by the platform team. Self-hosted deployments require manual action.
Where immediate patching is not feasible, the following mitigations reduce risk without fully eliminating it. Restricting workflow creation and editing access to the smallest necessary set of trusted administrators directly addresses the authenticated exploitation requirement. Disabling public registration removes the lowest-friction path to obtaining a valid session. Deploying n8n in a non-root OS context limits the damage radius if code execution is achieved. Network segmentation that prevents the n8n host from making arbitrary outbound connections reduces the attacker's ability to exfiltrate data or receive reverse shell connections after exploitation.
On the detection side, security teams should treat the following signals as high-confidence indicators of compromise on n8n infrastructure:
- Unexpected new nodes or modified workflow steps that send data to unfamiliar external endpoints
- The n8n process spawning shell interpreters (
sh,bash,cmd.exe) or unusual binaries - Outbound connections from the n8n host to IP addresses or domains outside the expected integration inventory
- New user accounts, unexpected privilege escalations, or API token creation not tied to a known provisioning event
- Access to sensitive files such as
.n8n/config, environment files, or/proc/self/environfrom the n8n process context
Organizations should also conduct a workflow audit as part of remediation: reviewing all existing workflows for nodes or expressions that were not provisioned by known administrators, particularly any added during the window when the instance was running a vulnerable version. The attacker workflow pattern documented by SecureLayer7 — creating a workflow that appears to serve a legitimate task but contains a hidden malicious expression — means that persistence may be embedded in the workflow catalog even after patching.
Public community workflow templates on GitHub have been identified that use the vulnerable workflow pattern (Form Trigger + file upload + Respond to Webhook node) required for CVE-2026-21858 exploitation. Organizations that import community workflows without reviewing their structure may unknowingly deploy vulnerable configurations. Review all imported workflows before enabling them in production.
Key Takeaways
- Patch immediately, verify comprehensively: CVE-2025-68613 was patched in December 2025. If your n8n instance is not running version 1.120.4, 1.121.1, 1.122.0, or any subsequent release, it is vulnerable and actively targeted. Confirm you are also covered against the full 2026 vulnerability cluster by running the current stable release.
- Authentication is not a reliable barrier: The requirement for valid credentials before exploitation reduces — but does not eliminate — risk. Open registration, shared accounts, and credential reuse all create exploitable paths. Restrict editor access to named, trusted individuals and rotate credentials associated with the n8n instance.
- Workflow automation platforms require the same security rigor as application servers: n8n's value proposition is connectivity — and that connectivity is precisely what makes a compromise so damaging. Every credential stored in n8n, every connected integration, and every downstream system the platform can reach is part of the blast radius. Treat n8n deployments as high-privilege infrastructure, not convenience tools.
- The vulnerability cluster is not finished: Three months of intensive security research on n8n produced five critical CVEs and a coordinated chained exploit. Additional researchers are actively examining the platform. Stay current with n8n security advisories and maintain a patching cadence that can respond within the 14-day window CISA has established as the federal standard.
- Audit existing workflows for persistence: Patching the platform closes the exploitation path but does not remove malicious workflows already planted by an attacker. A workflow audit is a mandatory component of remediation for any instance that was exposed during the vulnerable window.
The n8n CVE-2025-68613 disclosure is a case study in how quickly risk escalates when a critical flaw is disclosed in infrastructure that sits at the intersection of automation and credential storage. The platform's maintainers moved quickly to patch, and the majority of exposed instances have been remediated. The 24,700 that have not represent organizations that are now operating under confirmed active exploitation conditions, with a federal deadline of March 25, 2026 underscoring the urgency. For any organization running self-hosted n8n, the question is not whether to patch — it is whether patching has already been completed.
Sources: CISA KEV Catalog — The Hacker News — The Register — SC World — Rapid7 — Cyera Research — SecureLayer7 — NVD