INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

N8n RCE Vulnerability Exploited in the Wild

| 2026-03-12 13:34 CRITICAL HIGH
JSON
Executive Summary AI-generated
The US Cybersecurity and Infrastructure Security Agency has confirmed that hackers are exploiting a max-severity remote code execution vulnerability in workflow automation platform n8n. The bug, which was first disclosed in December, affects roughly 230,000 active users of the platform, with more than 103,000 appearing vulnerable to exploitation. This could lead to simple data theft or full-blown supply chain compromise if not patched promptly.
Technical Mitigations AI-generated
* Ensure all federal civilian executive branch (FCEB) agencies run the latest version of n8n, specifically v1.122.0 or later, to patch CVE-2025-68613. * Implement robust access controls and authentication mechanisms for workflow automation tasks to prevent unauthorized access to sensitive data and system-level operations. * Regularly monitor and update workflows and configurations to ensure they are not vulnerable to exploitation of the max-severity n8n bug.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2025-68613CVE-2025-68613 CVE-2026-25049CVE-2026-25049 CVE-2026-21858CVE-2026-21858 CVE-2026-27577CVE-2026-27577
Target & Sectors
Global Scope
Incident Timeline
November 2021
Threat actors used a max-severity n8n vulnerability to exploit the N8N instance of FCEB agencies by November 2021.
infrastructure N8N
Federal Civilian Executive Branch (FCEB) agencies have been ordered to patch their n8n instances by March 25, 2026, as mandated by a Binding Operational Directive (BOD 22-01) issued in November 2021.
attribution FCEB
Federal Civilian Executive Branch (FCEB) agencies have been ordered to patch their n8n instances by March 25, 2026, as mandated by a Binding Operational Directive (BOD 22-01) issued in November 2021.
attribution Federal Civilian Executive Branch
Federal Civilian Executive Branch (FCEB) agencies have been ordered to patch their n8n instances by March 25, 2026, as mandated by a Binding Operational Directive (BOD 22-01) issued in November 2021.
December 22, 2025
Threat actors exploited a max-severity n8n vulnerability in the wild.
organisation Censys
Cybersecurity firm Censys observed 103,476 potentially vulnerable instances as of December 22, 2025, trackable with the following queries.
general_metric 103,476 vulnerable instances
Cybersecurity firm Censys observed 103,476 potentially vulnerable instances as of December 22, 2025, trackable with the following queries.
December 2025
Researchers warned that a critical vulnerability in the n8n workflow automation platform, CVE-2025-68613, allowed attackers to achieve arbitrary code execution under certain circumstances.
infrastructure N8N
In December 2025, researchers warned that a critical vulnerability, tracked as  CVE-2025-68613 , in the  n8n  workflow automation platform could allow attackers to achieve arbitrary code execution under certain circumstances.
The security shortcoming was patched by n8n in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0.
vulnerability CVE-2025-68613
In December 2025, researchers warned that a critical vulnerability, tracked as  CVE-2025-68613 , in the  n8n  workflow automation platform could allow attackers to achieve arbitrary code execution under certain circumstances.
organisation CVE-2025
In December 2025, researchers warned that a critical vulnerability, tracked as  CVE-2025-68613 , in the  n8n  workflow automation platform could allow attackers to achieve arbitrary code execution under certain circumstances.
infrastructure 1.120.4
The security shortcoming was patched by n8n in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0.
infrastructure 1.121.1
The security shortcoming was patched by n8n in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0.
infrastructure 1.122.0
The security shortcoming was patched by n8n in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0.
early February 2026
Threat actors used a max-severity n8n bug to exploit unpatched instances in North America and Europe.
general_metric 24,700 Instances
Data from the Shadowserver Foundation shows that there are more than 24,700 unpatched instances exposed online, with more than 12,300 of them located in North America and 7,800 in Europe as of early February 2026.
source_region EUROPE
Data from the Shadowserver Foundation shows that there are more than 24,700 unpatched instances exposed online, with more than 12,300 of them located in North America and 7,800 in Europe as of early February 2026.
source_region NORTH_AMERICA
Data from the Shadowserver Foundation shows that there are more than 24,700 unpatched instances exposed online, with more than 12,300 of them located in North America and 7,800 in Europe as of early February 2026.
organisation the Shadowserver Foundation
Data from the Shadowserver Foundation shows that there are more than 24,700 unpatched instances exposed online, with more than 12,300 of them located in North America and 7,800 in Europe as of early February 2026.
general_metric 12,300 instances
Data from the Shadowserver Foundation shows that there are more than 24,700 unpatched instances exposed online, with more than 12,300 of them located in North America and 7,800 in Europe as of early February 2026.
general_metric 7,800 America
Data from the Shadowserver Foundation shows that there are more than 24,700 unpatched instances exposed online, with more than 12,300 of them located in North America and 7,800 in Europe as of early February 2026.
Mar 12, 2026
Threat actors used a max-severity n8n vulnerability to exploit the incident.
2026-03-12
N8n's advisory warns that an authenticated attacker could use the flaw to execute arbitrary code with the privileges of the n8n process.
infrastructure N8N
The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that hackers are exploiting a max-severity remote code execution (RCE) vulnerability in workflow automation platform n8n.
U.S. CISA adds a flaw in n8n to its Known Exploited Vulnerabilities catalog.
U.S. CISA adds a flaw in n8n to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in n8n to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  an n8n flaw, tracked as CVE-2025-68613 (CVSS score of 10.0), to its  Known Exploited Vulnerabilities (KEV) catalog .
 Ravie Lakshmanan  Mar 12, 2026 Vulnerability / Enterprise Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting n8n to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation.
n8n is a workflow automation platform designed for technical teams that combines the flexibility of custom code with the speed and simplicity of no-code tools.
“n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow expression evaluation system.
“An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process.
An authenticated attacker could exploit this weakness during workflow configuration to run arbitrary code with the same privileges as the n8n process, potentially leading to full system compromise, data exposure, workflow tampering, and execution of system-level commands.
If upgrading is not immediately possible, administrators should restrict workflow creation and editing to fully trusted users and run n8n in a hardened environment, keeping in mind these measures only reduce risk temporarily and do not fully resolve the issue.
Users should install the updates immediately and, if patching isn’t possible, restrict workflow editing to trusted users and run n8n in a hardened environment with restricted operating system privileges and network access.
CISA Flags Actively Exploited n8n RCE Bug as 24,700 Instances Remain Exposed.
CVE-2025-68613 is the first n8n vulnerability to be placed in the KEV catalog.
"N8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution," CISA said.
According to the maintainers of the workflow automation platform, the vulnerability could be weaponized by an authenticated attacker to execute arbitrary code with the privileges of the n8n process.
The addition of CVE-2025-68613 comes as Pillar Security disclosed two critical flaws in n8n, one of which – CVE-2026-27577 (CVSS score: 9.4) – has been classified as "additional exploits" discovered in the workflow expression evaluation system following CVE-2025-68613.
CISA warns max-severity n8n bug is being exploited in the wild.
The bug was first disclosed in December, and vendors such as Resecurity said that of n8n's roughly 230,000 active users, more than 103,000 appeared to be vulnerable.
The vulnerability affects n8n and its expression evaluation engine, which are commonly used to automate operational tasks across systems.
n8n's advisory states that, under certain conditions, authenticated attackers can inject payloads into expressions that are then executed without validation.
In plain terms, it means that an attacker with access to a low-privilege account could assume control of the entire n8n instance and abuse it to potentially access secrets such as passwords or push malicious code by modifying workflows, among other nastiness.
n8n patched the bug in v1.122.0, but given CISA's notice adding it to the KEV list, it seems as though some orgs have not been upgrading.
" CVE-2026-21858 (10.0) is another RCE bug disclosed at the start of the year, although this one allowed attackers free rein of an n8n instance without the need for authentication, thanks to improper handling of webhooks.
n8n said these flaws more closely resembled CVE-2025-68613, providing additional ways to exploit the platform's expression evaluation engine.
"Additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613," n8n said in an advisory.
"An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n." ®
organisation Users
Users should install the updates immediately and, if patching isn’t possible, restrict workflow editing to trusted users and run n8n in a hardened environment with restricted operating system privileges and network access.
organisation KEV
CVE-2025-68613 is the first n8n vulnerability to be placed in the KEV catalog.
organisation Pillar Security
The addition of CVE-2025-68613 comes as Pillar Security disclosed two critical flaws in n8n, one of which – CVE-2026-27577 (CVSS score: 9.4) – has been classified as "additional exploits" discovered in the workflow expression evaluation system following CVE-2025-68613.
organisation Resecurity
The bug was first disclosed in December, and vendors such as Resecurity said that of n8n's roughly 230,000 active users, more than 103,000 appeared to be vulnerable.
victims 230,000 active users
The bug was first disclosed in December, and vendors such as Resecurity said that of n8n's roughly 230,000 active users, more than 103,000 appeared to be vulnerable.
victims 103,000 users
The bug was first disclosed in December, and vendors such as Resecurity said that of n8n's roughly 230,000 active users, more than 103,000 appeared to be vulnerable.
organisation RCE
" CVE-2026-21858 (10.0) is another RCE bug disclosed at the start of the year, although this one allowed attackers free rein of an n8n instance without the need for authentication, thanks to improper handling of webhooks.
organisation CVE-2025-68613
The vulnerability, tracked as CVE-2025-68613 (CVSS score: 9.9), concerns a case of expression injection that leads to remote code execution.
CVE-2025-68613 can lead to RCE on the open source workflow automation platform, with potential consequences ranging from simple data theft to full-blown supply chain compromise.
infrastructure 1.120.4
The vulnerability has been fixed in versions 1.120.4, 1.121.1, and 1.122.0, and users are strongly urged to upgrade.
infrastructure 1.121.1
The vulnerability has been fixed in versions 1.120.4, 1.121.1, and 1.122.0, and users are strongly urged to upgrade.
infrastructure 1.122.0
The vulnerability has been fixed in versions 1.120.4, 1.121.1, and 1.122.0, and users are strongly urged to upgrade.
organisation npm
The package gets about 57,000 downloads per week, according to npm statistics.
infrastructure 57,000 downloads
The package gets about 57,000 downloads per week, according to npm statistics.
organisation CVE-2026-25049
Then came a collection of vulnerabilities in early February tracked under the single CVE identifier CVE-2026-25049 (CVSS 9.4).
organisation CVE
Then came a collection of vulnerabilities in early February tracked under the single CVE identifier CVE-2026-25049 (CVSS 9.4).
March 25, 2026
Threat actors used a max-severity n8n vulnerability to exploit the N8N instance in Federal Civilian Executive Branch (FCEB) agencies.
infrastructure N8N
Federal Civilian Executive Branch (FCEB) agencies have been ordered to patch their n8n instances by March 25, 2026, as mandated by a Binding Operational Directive (BOD 22-01) issued in November 2021.
attribution FCEB
Federal Civilian Executive Branch (FCEB) agencies have been ordered to patch their n8n instances by March 25, 2026, as mandated by a Binding Operational Directive (BOD 22-01) issued in November 2021.
attribution Federal Civilian Executive Branch
Federal Civilian Executive Branch (FCEB) agencies have been ordered to patch their n8n instances by March 25, 2026, as mandated by a Binding Operational Directive (BOD 22-01) issued in November 2021.
March 25
FCEB agencies are advised to ensure they have the latest version of Safe 2023.
attribution FCEB
FCEB agencies have until March 25 to ensure they're running the safe version.
Tactical Metrics
Metrics
infrastructure
​N8N
Affected Product
U.S. CISA adds a flaw in n8n to its Known Exploited Vulnerabilities catalog.
U.S. CISA adds a flaw in n8n to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in n8n to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  an n8n flaw, tracked as CVE-2025-68613 (CVSS score of 10.0), to its  Known Exploited Vulnerabilities (KEV) catalog .
n8n is a workflow automation platform designed for technical teams that combines the flexibility of custom code with the speed and simplicity of no-code tools.
In December 2025, researchers warned that a critical vulnerability, tracked as  CVE-2025-68613 , in the  n8n  workflow automation platform could allow attackers to achieve arbitrary code execution under certain circumstances.
“n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow expression evaluation system.
“An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process.
An authenticated attacker could exploit this weakness during workflow configuration to run arbitrary code with the same privileges as the n8n process, potentially leading to full system compromise, data exposure, workflow tampering, and execution of system-level commands.
If upgrading is not immediately possible, administrators should restrict workflow creation and editing to fully trusted users and run n8n in a hardened environment, keeping in mind these measures only reduce risk temporarily and do not fully resolve the issue.
Users should install the updates immediately and, if patching isn’t possible, restrict workflow editing to trusted users and run n8n in a hardened environment with restricted operating system privileges and network access.
CISA Flags Actively Exploited n8n RCE Bug as 24,700 Instances Remain Exposed.
 Ravie Lakshmanan  Mar 12, 2026 Vulnerability / Enterprise Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting n8n to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation.
The security shortcoming was patched by n8n in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0.
CVE-2025-68613 is the first n8n vulnerability to be placed in the KEV catalog.
"N8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution," CISA said.
According to the maintainers of the workflow automation platform, the vulnerability could be weaponized by an authenticated attacker to execute arbitrary code with the privileges of the n8n process.
The addition of CVE-2025-68613 comes as Pillar Security disclosed two critical flaws in n8n, one of which – CVE-2026-27577 (CVSS score: 9.4) – has been classified as "additional exploits" discovered in the workflow expression evaluation system following CVE-2025-68613.
Federal Civilian Executive Branch (FCEB) agencies have been ordered to patch their n8n instances by March 25, 2026, as mandated by a Binding Operational Directive (BOD 22-01) issued in November 2021.
The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that hackers are exploiting a max-severity remote code execution (RCE) vulnerability in workflow automation platform n8n.
CISA warns max-severity n8n bug is being exploited in the wild.
The bug was first disclosed in December, and vendors such as Resecurity said that of n8n's roughly 230,000 active users, more than 103,000 appeared to be vulnerable.
The vulnerability affects n8n and its expression evaluation engine, which are commonly used to automate operational tasks across systems.
n8n's advisory states that, under certain conditions, authenticated attackers can inject payloads into expressions that are then executed without validation.
In plain terms, it means that an attacker with access to a low-privilege account could assume control of the entire n8n instance and abuse it to potentially access secrets such as passwords or push malicious code by modifying workflows, among other nastiness.
n8n patched the bug in v1.122.0, but given CISA's notice adding it to the KEV list, it seems as though some orgs have not been upgrading.
" CVE-2026-21858 (10.0) is another RCE bug disclosed at the start of the year, although this one allowed attackers free rein of an n8n instance without the need for authentication, thanks to improper handling of webhooks.
n8n said these flaws more closely resembled CVE-2025-68613, providing additional ways to exploit the platform's expression evaluation engine.
"Additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613," n8n said in an advisory.
"An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n." ®
Metrics
infrastructure
​1.120.4
Software Version
The vulnerability has been fixed in versions 1.120.4, 1.121.1, and 1.122.0, and users are strongly urged to upgrade.
The security shortcoming was patched by n8n in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0.
Metrics
infrastructure
​1.121.1
Software Version
The vulnerability has been fixed in versions 1.120.4, 1.121.1, and 1.122.0, and users are strongly urged to upgrade.
The security shortcoming was patched by n8n in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0.
Metrics
infrastructure
​1.122.0
Software Version
The vulnerability has been fixed in versions 1.120.4, 1.121.1, and 1.122.0, and users are strongly urged to upgrade.
The security shortcoming was patched by n8n in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0.
Metrics
infrastructure
57,000
Downloads
The package gets about 57,000 downloads per week, according to npm statistics.
Metrics
victims
230,000
Active Users
The bug was first disclosed in December, and vendors such as Resecurity said that of n8n's roughly 230,000 active users, more than 103,000 appeared to be vulnerable.
Metrics
victims
103,000
Users
The bug was first disclosed in December, and vendors such as Resecurity said that of n8n's roughly 230,000 active users, more than 103,000 appeared to be vulnerable.
Intelligence Sources
Security Affairs 2026-03-12
The Hacker News 2026-03-12
The Register - Cybercrime 2026-03-12