CISA on March 11 added CVE-2025-68613, a critical remote code execution flaw in n8n, to its Known Exploited Vulnerabilities catalog after citing evidence of active exploitation. The bug affects the workflow automation platform’s expression evaluation system and allows an authenticated attacker to execute arbitrary code with the privileges of the n8n process.
According to n8n’s original security advisory and the NVD entry for CVE-2025-68613, the vulnerability impacts versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0. The CNA record from GitHub assigns the flaw a CVSS 3.1 base score of 9.9, while NVD says its own assessment has not yet been provided.
CISA’s KEV catalog entry lists the issue as an improper control of dynamically managed code resources vulnerability in n8n that can lead to remote code execution. The agency added the bug on March 11 and set a remediation due date of March 25 for Federal Civilian Executive Branch agencies.
“An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process.” — n8n security advisory
GitHub’s advisory database entry says successful exploitation can lead to full compromise of the affected instance, including unauthorized access to sensitive data, workflow modification, and execution of system-level operations. The flaw sits in software widely used to automate workflows between apps and services, a design pattern that overlaps with the broader automation and integration risks discussed in Cyberwarzone’s coverage of MCP vulnerabilities and AI security risks.
Patched releases are already available
NVD states that n8n fixed the vulnerability in versions 1.120.4, 1.121.1, and 1.122.0. In its original advisory, n8n urged users to upgrade to a patched release and said the fixes add safeguards that restrict expression evaluation.
If upgrading cannot happen immediately, n8n’s advisory recommends limiting workflow creation and editing permissions to fully trusted users only and deploying n8n in a hardened environment with restricted operating system privileges and network access. The company said those steps do not eliminate the risk and should be treated as short-term measures.
The KEV addition places the n8n bug among software flaws CISA says are being exploited in the wild, alongside other high-risk issues recently tracked by Cyberwarzone, including Apple’s iOS CVE-2025-43300 zero-click patch analysis.
