CISA orders feds to patch n8n RCE flaw exploited in attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies on Wednesday to patch their systems against an actively exploited n8n vulnerability.

n8n is an open-source workflow automation platform widely used in AI development for automating data ingestion, with over 50,000 weekly downloads on the npm registry and over 100 million pulls on Docker Hub.

As an automation hub, n8n often stores a wide range of highly sensitive data, including API keys, database credentials, OAuth tokens, cloud storage access credentials, and CI/CD secrets, making it an extremely attractive target for threat actors.

Tracked as CVE-2025-68613, this remote code execution vulnerability allows authenticated attackers to execute arbitrary code on vulnerable servers with the privileges of the n8n process.

"n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution," CISA said.

"Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations," the n8n team added.

The n8n team addressed CVE-2025-68613 in December with the release of n8n v1.122.0 and also advised IT administrators to apply the patch immediately. Admins who can't immediately upgrade can limit workflow creation and editing permissions to fully trusted users only, and restrict operating system privileges and network access as temporary mitigation measures to reduce the impact of potential exploitation.

Internet security watchdog group Shadowserver tracks over 40,000 unpatched instances exposed online, with more than 18,000 IPs found in North America and over 14,000 in Europe.

​CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their n8n instances by March 25, as mandated by a binding operational directive (BOD 22-01) issued in November 2021.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned.

"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

Although BOD 22-01 applies only to federal agencies, CISA has encouraged all network defenders to secure their systems against ongoing CVE-2025-68613 attacks as soon as possible.

Since the start of the year, the n8n security team has addressed several other severe vulnerabilities, including one dubbed Ni8mare that allows remote attackers without privileges to hijack unpatched n8n servers.