Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting n8n to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2025-68613 (CVSS score: 9.9), concerns a case of expression injection that leads to remote code execution. The security shortcoming was patched
Analysis Summary
# Vulnerability: n8n Expression Injection Remote Code Execution (RCE)
## CVE Details
- **CVE ID:** CVE-2025-68613
- **CVSS Score:** 9.9 (Critical)
- **CWE:** CWE-94 (Improper Control of Dynamically Managed Code Resources / Expression Injection)
## Affected Systems
- **Products:** n8n (Workflow Automation Platform)
- **Versions:** All versions prior to 1.120.4, 1.121.1, and 1.122.0.
- **Configurations:** Instances exposed to the internet; specifically impacts the workflow expression evaluation system.
## Vulnerability Description
The flaw is an expression injection vulnerability residing in n8n's workflow expression evaluation engine. It allows for the improper control of dynamically managed code resources. An authenticated attacker can inject malicious expressions that, when evaluated by the engine, result in arbitrary code execution with the same privileges as the n8n process.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV on March 11, 2026).
- **Complexity:** Low (to Medium, depending on authentication access).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Access to sensitive workflow data, credentials, and environment variables).
- **Integrity:** High (Ability to modify workflows or system-level files).
- **Availability:** High (Potential for complete system takeover or service disruption).
## Remediation
### Patches
n8n released security updates in December 2025. Users should upgrade to at least the following versions:
- **1.120.4**
- **1.121.1**
- **1.122.0** (or any subsequent later release)
### Workarounds
No specific functional workarounds were provided in the report. The primary recommendation is immediate patching. FCEB agencies are mandated by CISA to patch by **March 25, 2026**.
## Detection
- **Indicators of Compromise:** Monitor for unusual outbound network traffic from n8n nodes, unexpected modifications to existing workflows, or unauthorized creation of new administrative users.
- **Detection methods and tools:**
- Use vulnerability scanners to identify unpatched n8n versions.
- Check system logs for suspicious activity within the n8n process execution environment.
- Shadowserver Foundation tracks unpatched instances; organizations can check their IP space against these datasets.
## References
- **CISA KEV Catalog:** hxxps[://]www.cisa.gov/known-exploited-vulnerabilities-catalog
- **Vendor Advisory (n8n):** hxxps[://]thehackernews.com/2025/12/critical-n8n-flaw-cvss-99-enables.html
- **CVE Record:** hxxps[://]www.cve.org/CVERecord?id=CVE-2025-68613
- **Shadowserver Statistics:** hxxps[://]dashboard.shadowserver.org/statistics/combined/time-series/?tag=cve-2025-68613%2B