CISA Orders Federal Agencies to Patch n8n RCE Flaw

CISA Issues Mandate on n8n RCE Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal civilian agencies to patch a critical remote code execution vulnerability in n8n, the popular open-source workflow automation platform, after confirming the flaw is being actively exploited in attacks.

The directive was issued on March 11, 2026, adding CVE-2025-68613 to CISA's Known Exploited Vulnerabilities (KEV) catalog. Federal agencies bound by CISA's Binding Operational Directive 22-01 must remediate the vulnerability by April 1, 2026.

Vulnerability Overview

CVE-2025-68613 is rated CVSS 9.9 (Critical) and stems from an improper control of dynamically-managed code resources vulnerability in n8n's workflow expression evaluation system.

n8n allows users to embed dynamic expressions within workflow nodes using {{ }} syntax. The vulnerability enables an attacker to craft malicious expressions that escape n8n's expression sandbox and execute arbitrary operating system commands on the server — a classic sandbox escape leading to full remote code execution.

What Makes n8n High-Value for Attackers

n8n is widely deployed for security orchestration (SOAR), DevOps automation, IT workflows, and data integration. A compromised n8n server provides attackers with:

• All stored credentials — API keys, database passwords, cloud tokens, OAuth secrets
• Integration access — Slack, GitHub, AWS, Salesforce, databases, and hundreds of other connected services
• Workflow execution capability — the ability to trigger or modify automated workflows across an organization's infrastructure
• Lateral movement footholds — n8n's elevated system privileges and network access make it an ideal pivot point

Security teams using n8n for SOAR workflows face particularly acute risk: a compromised n8n instance could disable alerting, modify response playbooks, or exfiltrate sensitive security telemetry.

Active Exploitation Context

CISA's addition of a vulnerability to the KEV catalog requires evidence of real-world exploitation — not theoretical proof-of-concepts. This means threat actors are already scanning for and attacking vulnerable n8n instances.

With over 24,700 n8n instances publicly discoverable on the internet via Shodan and FOFA as of mid-March 2026, the attack surface is large. Many self-hosted n8n deployments operate without authentication or behind only basic HTTP credentials, making them trivially accessible.

Who Is Affected

Any organization running n8n versions prior to 1.88.0 is vulnerable. This includes:

• Federal agencies using n8n for IT automation or workflow orchestration
• Enterprises with n8n in DevOps pipelines or security automation
• Healthcare and finance organizations using n8n for data integration workflows
• Managed service providers running n8n on behalf of clients
• Self-hosted deployments by individuals and small teams

Recommended Actions

CISA's required action for KEV entries: "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable."

Steps to take immediately:

1. Identify all n8n deployments in your environment — cloud, on-premises, and developer workstations
2. Update to n8n 1.88.0 or later — the patched version addressing CVE-2025-68613
3. Rotate all credentials stored in n8n — treat any credentials in a pre-patch n8n instance as compromised
4. Remove n8n from internet exposure — place behind VPN or zero-trust proxy immediately
5. Review workflow execution logs for signs of exploitation (unexpected process spawning, outbound connections)
6. Audit connected integrations for suspicious activity originating from n8n's service accounts

Timeline

Sources

• BleepingComputer — CISA Orders Feds to Patch n8n RCE Flaw Exploited in Attacks
• CISA KEV Catalog — CVE-2025-68613

Related Reading

• CISA Flags Actively Exploited n8n RCE Bug as 24,700
• Researchers Disclose Critical n8n Flaws Enabling RCE and
• CVE-2025-68613: n8n Remote Code Execution via Improper