CISA orders federal agencies to patch actively exploited n8n RCE flaw
3 min. read 
Published on
CISA has ordered U.S. federal civilian agencies to secure their n8n systems against CVE-2025-68613, an actively exploited remote code execution flaw in the workflow automation platform. The agency added the bug to its Known Exploited Vulnerabilities catalog on March 11, 2026, and set a remediation deadline of March 25, 2026.
The flaw is serious because n8n often sits at the center of automation stacks and can hold API keys, OAuth tokens, database credentials, and other high-value secrets. CISA’s catalog entry describes it as an “Improper Control of Dynamically-Managed Code Resources” vulnerability and says agencies must apply vendor mitigations, follow cloud guidance under BOD 22-01, or stop using the product if they cannot mitigate it.
According to the n8n advisory mirrored in GitHub’s reviewed security notice and NVD, the bug affects versions starting at 0.211.0 and fixed lines are 1.120.4, 1.121.1, and 1.122.0. The issue lets an authenticated attacker abuse workflow expression evaluation to execute arbitrary code with the privileges of the n8n process, which can lead to full compromise of the instance.
What is confirmed
| Item | Confirmed detail |
|---|---|
| CVE | CVE-2025-68613 |
| Vulnerability type | Remote code execution in workflow expression evaluation |
| Exploitation status | Actively exploited, per CISA KEV inclusion |
| Affected versions | Starting with 0.211.0 and before 1.120.4, 1.121.1, and 1.122.0 |
| Federal deadline | March 25, 2026 |
| Immediate fix versions | 1.120.4, 1.121.1, and 1.122.0 |
Source: CISA KEV, GitHub advisory, and NVD.
Why this flaw matters
n8n is not just another web app. It often connects business systems, cloud services, developer tools, and AI workflows in one place. That makes a successful compromise especially dangerous because attackers may gain access to sensitive automation logic, credentials, and downstream systems through one exposed server. This risk appears directly in the advisory language, which warns of unauthorized data access, workflow modification, and system-level operations after exploitation.
The active exploitation angle also raises the stakes. CISA only adds vulnerabilities to KEV when there is evidence of exploitation in the wild, and NVD’s March 11 modification log shows the KEV update and federal due date were added that same day.
What admins should do now
- Upgrade to a patched n8n release immediately.
- If you cannot patch right away, limit workflow creation and editing to fully trusted users only.
- Run n8n in a hardened environment with restricted OS privileges and tight network access.
- Treat any internet-exposed n8n instance as high priority until it is updated. This is an inference based on CISA’s KEV action and the advisory’s impact statement.
Temporary mitigations
If patching must wait, the vendor guidance is narrow and clear:
- Limit workflow creation and editing permissions to trusted users only.
- Restrict operating system privileges and network access around the n8n host.
- Do not treat these steps as a full fix. Both GitHub’s advisory and NVD say they are only short-term measures.
FAQ
It is a remote code execution vulnerability in n8n’s workflow expression evaluation system.
Yes. CISA added it to the Known Exploited Vulnerabilities catalog on March 11, 2026.
The advisory says an authenticated attacker can exploit the bug if they can supply crafted expressions during workflow configuration.
The advisory lists 1.120.4, 1.121.1, and 1.122.0 as patched versions.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages