CISA Alert: Critical Vulnerability in N8n CVE-2025-68613 allows remote code execution and exposes thousands of instances

The American cybersecurity agency, CISA has recently included a critical vulnerability that affects the workflow automation platform n8n in its catalogue of Known Exploited Vulnerabilities (KEV). This is the decision assigned as CVE-2025-68613, with a CVSS score of 9.9, which in simple terms allows remote code execution through an injection into the engine expressions that evaluate workflows.

n8n is an increasingly common tool for connecting and automating processes between applications: trigger orchestra, transforms data and triggers actions without having to write all the logic manually. This flexibility is based on a system that evaluates dynamic expressions within the flows, and it is precisely at that point that the most dangerous letter was found: an incorrect evaluation of dynamic code that can be manipulated by an authenticated attacker to execute commands with the same privileges of the n8n process.

N8n officials published patches in December 2025 to mitigate the failure (the versions including correction are, among others, 1.120.4, 1.121.1 and 1.122.0). You can check the official notes and versions in the n8n launch repository in GitHub and the registration of the CVE in CVE.org. Despite the availability of patches, CISA added this failure to its KEV catalogue because there are signs of active exploitation, making it a security priority for organizations of all kinds.

That an authenticated attacker can achieve remote execution is not a minor detail: in the worst scenario this allows you to take full control of an instance, steal or alter data, modify automations to introduce malicious behaviors, or run system-level operations. Although no technical details on how it is being exploited have been published at this time, inclusion in KEV often involves evidence of actual use in attacks.

The scope of the problem is relevant: public data on the Shadowserver Foundation they show that there are tens of thousands of n8n instances accessible from the Internet without patching - more than 24,700 in early February 2026 - with a large concentration in North America and Europe. This public exposure makes it easier for malicious actors to scan, identify and try to exploit vulnerable systems.

The situation has also generated additional findings: Pillar Security reported two critical failures in the n8n expression evaluation system; one of them, registered as CVE-2026-27577, was classified as an additional explosion related to the same family of problems. For federal agencies in the United States this has an operational nuance: the n8n instances in the Federal Civilian Executive Branch (FCEB) must be parched before 25 March 2026 pursuant to Binding Operational Directive BOD 22-01 on vulnerability management.

If you administer n8n or depend on managed instances, the recommendation is clear: it defers any complacency and applies published updates as soon as possible. In addition to the patch, it is appropriate to take additional measures while you do the update: restrict access to the web interface to reliable IP ranges or via VPN, review and tighten authentication controls, rotate credentials and tokens that could use the platform, and monitor unusual activity on logs and on the network. Early detection of unexpected processes, atypical outgoing connections or changes in workflows may be the lead that indicates an intrusion.

Not all organizations have the same risk, but the combination of a failure with almost maximum score, operating evidence and tens of thousands of exposed instances creates a scenario where acting quickly makes the difference between a patch and an incident response. If you want to follow the official alerts closely, check the publication of CISA and the KEV catalogue; to apply corrections, check the history of n8n versions in your repository. Keep your systems up-to-date and reduce the exposure surface remain the best defenses against this type of vulnerability.