The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a critical vulnerability in n8n, the open source workflow automation platform, prompting urgent patch demands for federal agencies.
The flaw, tracked as CVE-2025-68613 with a near-perfect severity score of 9.9, allows attackers with low-privilege account access to assume full control of an n8n instance. Security researchers at Resecurity initially identified that more than 103,000 of n8n's roughly 230,000 active users faced exposure when the bug was first disclosed in December.
According to n8n's advisory, the vulnerability exists in the platform's expression evaluation engine, a core component used to automate operational tasks across connected systems. Under certain conditions, authenticated attackers can inject payloads into expressions that are executed without validation, potentially leading to unauthorised access to sensitive data, modification of workflows, and execution of system-level operations.
The n8n project released a patch in version 1.122.0, yet the bug's presence on CISA's Known Exploited Vulnerabilities catalogue suggests organisations have been slow to upgrade. Federal civilian executive branch agencies face a March 25 deadline to deploy the fix.
The vulnerability represents one component of a broader security crisis affecting the platform. Project maintainers have contended with a relentless series of flaws since December. In January, researchers discovered CVE-2026-21858, rated at maximum severity 10.0, which allowed attackers to compromise instances entirely without requiring authentication, exploiting improper webhook handling.
In early February, a cluster of additional vulnerabilities tracked under CVE-2026-25049 with a 9.4 severity score provided further attack vectors into the expression evaluation engine. Each successive disclosure has forced the n8n team to revise defences and push additional patches.
The implications extend beyond operational disruption. Attackers could access stored credentials, inject malicious workflows into automated processes, or establish persistence for longer-term compromise. For organisations relying on n8n to orchestrate critical business functions, the window of exposure could permit significant data loss or supply chain compromise.
The cascade of vulnerabilities reflects the inherent challenges facing open source project maintainers with limited resources. Once a single critical flaw surfaces in widely deployed software, sophisticated attackers reverse-engineer the fix and hunt for similar weaknesses in adjacent code. The n8n team's experience illustrates how a single disclosure can trigger months of remediation work, leaving defenders perpetually behind.