CISA Confirms Active Exploitation of n8n Workflow Tool
The U.S. Cybersecurity and Infrastructure Security Agency added a critical n8n vulnerability to its Known Exploited Vulnerabilities catalog on March 12, 2026. The agency cited evidence of active exploitation in the wild targeting the workflow automation platform.
CVE-2025-68613 represents an expression injection flaw that allows attackers to execute arbitrary code remotely. The vulnerability earned a CVSS score of 9.9, placing it in the critical severity category.
n8n Workflow Platform Users at Risk
The vulnerability affects n8n installations across enterprise and individual deployments. Organizations using n8n for workflow automation face immediate risk of system compromise through the expression injection vector.
Federal agencies must patch by the CISA deadline, while private sector organizations should prioritize updates given the confirmed exploitation activity.
Expression Injection Enables Full System Control
Attackers exploit the expression injection weakness to inject malicious code into n8n's workflow processing engine. This technique bypasses input validation and executes commands with the application's privileges.
n8n has released patches addressing the vulnerability. Organizations should update immediately and review logs for suspicious workflow execution patterns. The CISA KEV catalog provides additional guidance for federal agencies facing mandatory patching requirements.
