Multiple n8n RCE vulnerabilities and a CISA KEV listing leave 24,700 instances unpatched
Contents
Multiple severe RCE vulnerabilities were found in n8n, the workflow automation tool. One of them, CVE-2025-68613 (CVSS 9.9), was added to CISA’s KEV catalog (Known Exploited Vulnerabilities) and has confirmed real-world exploitation. Shadowserver Foundation reported that more than 24,700 instances were exposed to the internet in early February 2026, with more than 12,300 in North America and 7,800 in Europe.
CVE-2025-68613 - the main issue added to CISA KEV
CVSS score: 9.9
This is an improper code resource control issue in n8n’s expression-evaluation system. An authenticated user can abuse dynamically managed code resources and execute arbitrary code with the privileges of the n8n process.
Fixed versions are 1.120.4, 1.121.1, and 1.122.0, released in December 2025. CISA added the vulnerability to KEV on March 11, 2026, and required Federal Civilian Executive Branch agencies to patch by March 25 under BOD 22-01. KEV inclusion is based on active exploitation, not just theoretical risk.
Additional flaws found by Pillar Security
Security researcher Eilon Cohen of Pillar Security found a set of additional vulnerabilities related to n8n’s expression engine.
| CVE | CVSS | Component | Auth required | Attack method |
|---|---|---|---|---|
| CVE-2026-27493 | 9.5 | Form node (public endpoint) | No | Shell command execution via a double-evaluation bug |
| CVE-2026-27577 | 9.4 | Expression compiler (AST rewriter) | Yes | RCE through a missing case in the AST rewriter |
| CVE-2026-27495 | 9.4 | JavaScript Task Runner sandbox | Yes | Sandbox boundary bypass |
| CVE-2026-27497 | 9.4 | Merge node SQL query mode | Yes | RCE and file write via SQL injection |
The most dangerous one is CVE-2026-27493. n8n’s form node often acts as a public endpoint, such as a contact form. If an expression is embedded in the input field, the double-evaluation bug causes it to run directly. No authentication and no login are needed.
CVE-2026-27577 is caused by an incomplete AST rewriter. A transformation intended to keep the expression sandbox safe is skipped in certain cases. If an attacker already has workflow-editing privileges, that is enough for full RCE.
Credential theft risk
The biggest practical risk is that these flaws can become credential-extraction paths. If an attacker can read the N8N_ENCRYPTION_KEY environment variable, they can decrypt every external connection n8n stores. AWS API keys, database passwords, OAuth tokens, and other API keys can all be exposed at once. Because n8n often sits at the center of many business workflows, a single compromised instance can create cascading damage.
Attack flow
An unauthenticated attack through CVE-2026-27493 typically looks like this:
flowchart TD
A[Attacker: external HTTP request] --> B[n8n public form node<br/>no authentication]
B --> C{Double-evaluation bug<br/>CVE-2026-27493}
C --> D[Expression injection runs<br/>arbitrary shell command]
D --> E[RCE on the n8n server]
E --> F1[Read N8N_ENCRYPTION_KEY]
E --> F2[File-system access]
E --> F3[Lateral movement inside the network]
F1 --> G[Decrypt stored credentials<br/>AWS / DB / OAuth / API keys]
G --> H[Cascade into other services]Authenticated attacks such as CVE-2026-27577 can reach the same endpoint once a user has workflow-editing permissions. In SaaS n8n, that can also create cross-tenant risk.
Affected versions and fixes
CVE-2025-68613
- Fixed versions: 1.120.4, 1.121.1, 1.122.0 (December 2025)
CVE-2026-27577 / CVE-2026-27493 / CVE-2026-27495 / CVE-2026-27497
- Vulnerable versions: below v1.123.22, from v2.0.0 through v2.9.2, and v2.10.0 only
- Fixed versions: 1.123.22, 2.9.3, 2.10.1
Self-hosted environments need an update via docker pull n8nio/n8n:latest or the relevant package manager. The cloud version, n8n.cloud, says it has already been handled by the operator.
If you cannot patch immediately, disable public form-node endpoints, minimize workflow-editing privileges, and isolate the n8n container network.