A serious security flaw in a widely used automation platform has caught the attention of U.S. cyber defenders.
The Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability affecting n8n, a workflow automation tool used to connect apps and automate tasks, to its Known Exploited Vulnerabilities Catalog. The move signals that attackers are already taking advantage of the bug in real-world attacks.
The vulnerability, tracked as CVE-2025-68613, carries a severity score of 9.9 out of 10. At its core, the issue stems from a flaw in how the platform evaluates workflow expressions. That weakness can allow an attacker with access to the system to inject malicious code and run it remotely.
CISA described the problem bluntly: “n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution.”
In practical terms, that means someone who gains authenticated access to a vulnerable instance could potentially take control of the system running it. The developers behind n8n say the flaw could allow attackers to run commands with the same privileges as the application itself. That level of access could open the door to sensitive data, allow workflows to be altered, or enable deeper control over the host system.
The bug was originally fixed late last year in versions 1.120.4, 1.121.1, and 1.122.0 of the software. Yet many deployments remain unpatched.
Internet scanning data from the Shadowserver Foundation suggests that more than 24,700 vulnerable n8n instances are still accessible online. Roughly half of them are located in North America, with thousands more in Europe.
The concern grows when automation platforms become deeply embedded in company infrastructure. A compromised workflow system could provide a pathway into multiple connected services at once, especially in environments where automation handles sensitive data transfers.
Security researchers are also watching closely because this may not be the only weakness in the platform. Researchers at Pillar Security recently disclosed additional vulnerabilities affecting the same expression evaluation system, including CVE-2026-27577, another high-severity flaw.
That pattern suggests attackers may continue probing the system for similar issues.
CISA’s decision to place the vulnerability in its exploited vulnerabilities catalogue triggers a familiar government response. Agencies within the Federal Civilian Executive Branch have been instructed to patch affected systems by March 25 under the rules of Binding Operational Directive 22-01, which requires federal networks to quickly address actively exploited bugs.
Ogbonda Chivumnovu
