Cyber-crime CISA warns max-severity n8n bug is being exploited in the wild No rest for project maintainers battered by slew of vulnerability disclosures Connor Jones Thu 12 Mar 2026 // 13:34 UTC The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that hackers are exploiting a max-severity remote code execution (RCE) vulnerability in workflow automation platform n8n. CISA urged all federal civilian executive branch (FCEB) agencies to patch CVE-2025-68613 at once because it carries a near-perfect 9.9 vulnerability score. The bug was first disclosed in December, and vendors such as Resecurity said that of n8n's roughly 230,000 active users, more than 103,000 appeared to be vulnerable. CVE-2025-68613 can lead to RCE on the open source workflow automation platform, with potential consequences ranging from simple data theft to full-blown supply chain compromise. The vulnerability affects n8n and its expression evaluation engine, which are commonly used to automate operational tasks across systems. n8n's advisory states that, under certain conditions, authenticated attackers can inject payloads into expressions that are then executed without validation. "Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations," it said. In plain terms, it means that an attacker with access to a low-privilege account could assume control of the entire n8n instance and abuse it to potentially access secrets such as passwords or push malicious code by modifying workflows, among other nastiness. n8n patched the bug in v1.122.0, but given CISA's notice adding it to the KEV list, it seems as though some orgs have not been upgrading. n8n security woes roll on as new critical flaws bypass December fix Maximum-severity n8n flaw lets randos run your automation server Amazon's Quick Suite is like agentic AI training wheels for enterprises AI agents abound, unbound by rules or safety disclosures FCEB agencies have until March 25 to ensure they're running the safe version. The project maintainers have endured some difficult weeks since CVE-2025-68613 was first disclosed. Although the patch for the 9.9 vulnerability worked, the project was forced to spend time devising other fixes after Cyera researchers notified it of a 10.0 severity bug they coined " ni8mare ." CVE-2026-21858 (10.0) is another RCE bug disclosed at the start of the year, although this one allowed attackers free rein of an n8n instance without the need for authentication, thanks to improper handling of webhooks. Then came a collection of vulnerabilities in early February tracked under the single CVE identifier CVE-2026-25049 (CVSS 9.4). n8n said these flaws more closely resembled CVE-2025-68613, providing additional ways to exploit the platform's expression evaluation engine. "Additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613," n8n said in an advisory. "An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n." ® Share More about Cybersecurity and Infrastructure Security Agency Open Source Vulnerability More like these × More about Cybersecurity and Infrastructure Security Agency Open Source Vulnerability Narrower topics Audacity Digital Public Goods FOSDEM FOSS Jenkins MySQL OpenInfra OpenOffice OpenStack Proxmox Wikipedia WPF Y2K Zero Day Initiative Broader topics Federal government of the United States Security More about Share POST A COMMENT More about Cybersecurity and Infrastructure Security Agency Open Source Vulnerability More like these × More about Cybersecurity and Infrastructure Security Agency Open Source Vulnerability Narrower topics Audacity Digital Public Goods FOSDEM FOSS Jenkins MySQL OpenInfra OpenOffice OpenStack Proxmox Wikipedia WPF Y2K Zero Day Initiative Broader topics Federal government of the United States Security TIP US OFF Send us news