CVE-2025-68613
published 2025-12-19CVE-2025-68613: n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code…
PriorityP195high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-03-25
Exploited in the wild
EPSS
97.88%
99.9th percentile
n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| n8n-io | n8n | < 1.123.22 | 1.123.22 |
| n8n-io | n8n | — | — |
| n8n-io | n8n | — | — |
| n8n | n8n | < 1.123.22 | 1.123.22 |
| n8n | n8n | — | — |
| n8n | n8n | >= 0 < 1.123.17 | 1.123.17 |
| n8n | n8n | >= 0 < 1.123.22 | 1.123.22 |
| n8n | n8n | >= 0.211.0 < 1.120.4 | 1.120.4 |
| n8n | n8n | >= 0.211.0 < 1.120.4 | 1.120.4 |
| n8n | n8n | >= 1.121.0 < 1.121.1 | 1.121.1 |
| n8n | n8n | >= 2.0.0 < 2.9.3 | 2.9.3 |
| n8n | n8n | >= 2.0.0 < 2.5.2 | 2.5.2 |
| n8n | n8n | >= 2.0.0 < 2.9.3 | 2.9.3 |
| n8n | n8n | >= 2.10.0 < 2.10.1 | 2.10.1 |
| n8n | n8n | >= 2.10.0 < 2.10.1 | 2.10.1 |
Detection & IOCsextracted from sources · hover to see the quote
command={{ (function() { var require = this.process.mainModule.require; var execSync = require('child_process').execSync; return execSync('whoami && id && uname -a').toString(); })() }}↗
- →Detect POST requests to /rest/workflows containing n8n-nodes-base.set node with expression values matching the pattern `this.process.mainModule.require` or `child_process` inside {{ }} delimiters — indicative of CVE-2025-68613 RCE exploitation. ↗
- →Monitor n8n REST API endpoints /rest/workflows (POST), /rest/workflows/<id>/run (POST), and /rest/executions/<id> (GET) in sequence from the same authenticated session — this pattern matches the exploit chain for CVE-2025-68613. ↗
- →Alert on workflow expression payloads containing the regex pattern `uid=[0-9]+\([a-zA-Z0-9_-]+\)` in n8n execution results — this indicates successful RCE and command output exfiltration. ↗
- →Review all n8n workflows for suspicious expressions, particularly those referencing `process.mainModule`, `child_process`, `execSync`, or `constructor` within {{ }} expression blocks. ↗
- →Insikt Group published a Nuclei template for CVE-2025-68613 in December — use it to identify vulnerable n8n instances in your environment. ↗
- →The vulnerability affects n8n versions >= 0.211.0 and < 1.120.4, < 1.121.1, < 1.122.0 — use version fingerprinting via the /signin page (base64-encoded content) to identify unpatched instances. ↗
- ·The Metasploit module uses a Schedule Trigger node to automatically fire and evaluate the malicious payload — defenders should note that exploitation does not require manual workflow execution. ↗
- ·Post-exploitation impact includes theft of all stored credentials (API keys, OAuth tokens), sensitive configuration files, and potential pivot to connected cloud accounts and AI workflow hijacking. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa8.8HIGH
osv8.8HIGH
vulncheck10.0CRITICAL
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
n8n: Expression Sandbox Escape Leads to RCE
ghsa·2026-02-25·CVSS 8.8
CVE-2026-27577 [HIGH] CWE-94 n8n: Expression Sandbox Escape Leads to RCE
n8n: Expression Sandbox Escape Leads to RCE
## Impact
Additional exploits in the expression evaluation of n8n have been identified and patched following [CVE-2025-68613](https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp).
An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.
## Patches
The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities.
## Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to full
OSV
n8n: Expression Sandbox Escape Leads to RCE
osv·2026-02-25·CVSS 8.8
CVE-2026-27577 [HIGH] n8n: Expression Sandbox Escape Leads to RCE
n8n: Expression Sandbox Escape Leads to RCE
## Impact
Additional exploits in the expression evaluation of n8n have been identified and patched following [CVE-2025-68613](https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp).
An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.
## Patches
The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities.
## Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to full
OSV
n8n Has Expression Escape Vulnerability Leading to RCE
osv·2026-02-04·CVSS 8.8
CVE-2026-25049 [HIGH] n8n Has Expression Escape Vulnerability Leading to RCE
n8n Has Expression Escape Vulnerability Leading to RCE
### Impact
Additional exploits in the expression evaluation of n8n have been identified and patched following [CVE-2025-68613](https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp).
An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.
### Patches
The issue has been fixed in n8n versions 1.123.17 and 2.5.2. Users should upgrade to these versions or later to remediate the vulnerability.
### Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trust
GHSA
n8n Has Expression Escape Vulnerability Leading to RCE
ghsa·2026-02-04·CVSS 8.8
CVE-2026-25049 [HIGH] CWE-913 n8n Has Expression Escape Vulnerability Leading to RCE
n8n Has Expression Escape Vulnerability Leading to RCE
### Impact
Additional exploits in the expression evaluation of n8n have been identified and patched following [CVE-2025-68613](https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp).
An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.
### Patches
The issue has been fixed in n8n versions 1.123.17 and 2.5.2. Users should upgrade to these versions or later to remediate the vulnerability.
### Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trust
VulnCheck
n8n n8n Improper Input Validation
vulncheck·2026·CVSS 10.0
CVE-2026-21858 [CRITICAL] n8n n8n Improper Input Validation
n8n n8n Improper Input Validation
n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.
Affected: n8n n8n
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://beelzebub.ai/blog/catching-ni8mare-in-the-wild-cve-2026-21858/;
GHSA
n8n Vulnerable to Remote Code Execution via Expression Injection
ghsa·2025-12-22
CVE-2025-68613 [CRITICAL] CWE-913 n8n Vulnerable to Remote Code Execution via Expression Injection
n8n Vulnerable to Remote Code Execution via Expression Injection
### Impact
n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime.
An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.
### Patches
This issue has been fixed in n8n v1.122.0.
Users are strongly advised to upgra
OSV
n8n Vulnerable to Remote Code Execution via Expression Injection
osv·2025-12-22
CVE-2025-68613 [CRITICAL] n8n Vulnerable to Remote Code Execution via Expression Injection
n8n Vulnerable to Remote Code Execution via Expression Injection
### Impact
n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime.
An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.
### Patches
This issue has been fixed in n8n v1.122.0.
Users are strongly advised to upgra
VulnCheck
n8n Improper Control of Dynamically-Managed Code Resources Vulnerability
vulncheck·2025·CVSS 9.9
CVE-2025-68613 [CRITICAL] CWE-913 n8n Improper Control of Dynamically-Managed Code Resources Vulnerability
n8n Improper Control of Dynamically-Managed Code Resources Vulnerability
n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution.
Affected: n8n n8n
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.akamai.com/blog/security-research/2026/feb/zerobot-malware-targets-n8n-automation-platform; https://ctrlaltintel.com/threat%20research/MuddyWater/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.vulncheck.com/blog/n8n-needs-more-kev; https://www.labs.greynoise.io/gr
CISA
n8n Improper Control of Dynamically-Managed Code Resources Vulnerability
cisa·2026-03-11·CVSS 8.8
CVE-2025-68613 [HIGH] CWE-913 n8n Improper Control of Dynamically-Managed Code Resources Vulnerability
Vulnerability: n8n Improper Control of Dynamically-Managed Code Resources Vulnerability
Affected: n8n n8n
n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp ; https://nvd.nist.gov/vuln/detail/CVE-2025-68613
Remediation Due Date: 2026-03-25
Suricata
ET WEB_SPECIFIC_APPS Node.js n8n Authenticated Workflow Expression Injection (CVE-2025-68613)
suricata·2025-12-23·CVSS 9.9
CVE-2025-68613 [CRITICAL] ET WEB_SPECIFIC_APPS Node.js n8n Authenticated Workflow Expression Injection (CVE-2025-68613)
ET WEB_SPECIFIC_APPS Node.js n8n Authenticated Workflow Expression Injection (CVE-2025-68613)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Node.js n8n Authenticated Workflow Expression Injection (CVE-2025-68613)"; flow:established,to_server; http.uri; content:"/rest/workflows"; fast_pattern; startswith; http.cookie; content:"n8n-auth|3d|"; nocase; http.request_body; content:"|22|value|22 3a|"; pcre:"/^\s*\x22[^\x22]*?\x3d\x7b{2}/R"; reference:url,github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp; reference:cve,2025-68613; classtype:web-application-attack; sid:2066448; rev:2; metadata:affected_product Node_js, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_23, cve CVE_2025_68613, deployment Perimeter, deployment Internal, deployment SSLDe
Metasploit
n8n Workflow Expression Remote Code Execution
metasploit·CVSS 8.8
CVE-2025-68613 [HIGH] n8n Workflow Expression Remote Code Execution
n8n Workflow Expression Remote Code Execution
This module exploits a critical remote code execution vulnerability (CVE-2025-68613) in the n8n workflow automation platform. The vulnerability exists in the workflow expression evaluation system where user-supplied expressions enclosed in {{ }} are evaluated in an execution context that is not sufficiently isolated from the underlying Node.js runtime. An authenticated attacker can create a workflow containing malicious expressions that access the Node.js process object via this.process.mainModule.require (or via the constructor) to load child_process and execute arbitrary system commands. This module uses a Schedule Trigger node to automatically fire and evaluate the malicious payload. This requires valid credentials to create workflows. Succ
Nuclei
n8n - Remote Code Execution via Expression Injection
nuclei·CVSS 8.8
CVE-2025-68613 [HIGH] n8n - Remote Code Execution via Expression Injection
n8n - Remote Code Execution via Expression Injection
n8n 0 && password.length > 0) {
http("login") && http("create-workflow") && http("run-workflow") && http("get-results") && http("delete-workflow");
}
http:
- id: version-check
raw:
- |
GET /signin HTTP/1.1
Host: {{Hostname}}
Accept: */*
extractors:
- type: regex
name: base64_content
group: 1
regex:
- '= 0.211.0") && compare_versions(version, "= 1.121.0") && compare_versions(version, "n8n.io")'
condition: and
- id: login
raw:
- |
POST /rest/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"emailOrLdapLoginId":"{{n8n_email}}","password":"{{n8n_password}}"}
matchers:
- type: status
status:
- 200
internal: true
- id: create-workflow
raw:
- |
POST /rest/workflows HTTP/1.1
Host: {{Hostname}}
Content-Type: application/js
Recorded Future
March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day
blogs_recorded_future·2026-04-13·CVSS 9.8
[CRITICAL] March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day
## March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day
In March 2026, Insikt Group® identified 31 high-impact vulnerabilities that should be prioritized for remediation , 29 of which had a Very Critical Recorded Future Risk Score.
These vulnerabilities affected products from the following vendors: Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, Synacor, Wing FTP Server, n8n, Omnissa, SolarWinds, Ivanti, Hikvision, Rockwell, and Broadcom. This month’s most affected vendors were Microsoft and Apple, together accounting for approximately 32% of the 31 vulnerabilities.
One vulnerability ( CVE-2017-7921 affecting Hikvision) is approximately nine ye
Hackernews
Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign
blogs_hackernews·2026-04-07
Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign
An active campaign has been observed targeting internet-exposed instances running ComfyUI, a popular stable diffusion platform, to enlist them into a cryptocurrency mining and proxy botnet.
"A purpose-built Python scanner continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via ComfyUI-Manager if no exploitable node is already present," Censys security researcher Mark Ellzey said in a report published Monday.
The attack activity, at its core, systemically scans for exposed ComfyUI instances and
Checkpoint
16th March – Threat Intelligence Report
blogs_checkpoint·2026-03-16
CVE-2025-26399 16th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 16th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 16th March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
United States-based medical technology company Stryker has suffered a cyberattack that caused a global disruption to its environment. The company said its surgical robotics, clinical communications platform, and life support monitors are safe to use. Media reports said employee devices were factory reset across multiple locati
Bleepingcomputer
CISA orders feds to patch n8n RCE flaw exploited in attacks
blogs_bleepingcomputer·2026-03-11·CVSS 9.9
[CRITICAL] CISA orders feds to patch n8n RCE flaw exploited in attacks
## CISA orders feds to patch n8n RCE flaw exploited in attacks
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies on Wednesday to patch their systems against an actively exploited n8n vulnerability.
n8n is an open-source workflow automation platform widely used in AI development for automating data ingestion, with over 50,000 weekly downloads on the npm registry and over 100 million pulls on Docker Hub.
As an automation hub, n8n often stores a wide range of highly sensitive data, including API keys, database credentials, OAuth tokens, cloud storage access credentials, and CI/CD secrets, making it an extremely attractive target for threat actors.
Tracked as CVE-2025-68613 , this remote code execution vulnerability allows authen
Bleepingcomputer
Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
blogs_bleepingcomputer·2026-02-10·CVSS 8.8
[HIGH] Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
## Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
## Lawrence Abrams
25 Elevation of Privilege vulnerabilities
5 Security Feature Bypass vulnerabilities
12 Remote Code Execution vulnerabilities
6 Information Disclosure vulnerabilities
3 Denial of Service vulnerabilities
7 Spoofing vulnerabilities
When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today. Therefore, the number of flaws does not include 3 Microsoft Edge flaws fixed earlier this month.
As part of these updates, Microsoft has also begun to roll out updated Secure Boot certificates to replace the original 2011 certificates that are expiring in late June 2026.
"With this update, Windows quality updates include a broad set of targeting data that i
Bleepingcomputer
Critical n8n flaws disclosed along with public exploits
blogs_bleepingcomputer·2026-02-04·CVSS 9.9
CVE-2026-25049 [CRITICAL] Critical n8n flaws disclosed along with public exploits
## Critical n8n flaws disclosed along with public exploits
## Bill Toulas
Multiple critical vulnerabilities in the popular n8n open-source workflow automation platform allow escaping the confines of the environment and taking complete control of the host server.
Collectively tracked as CVE-2026-25049, the issues can be exploited by any authenticated user who can create or edit workflows on the platform to perform unrestricted remote code execution on the n8n server.
Researchers at several cybersecurity companies reported the problems, which stem from n8n's sanitization mechanism and bypass the patch for CVE-2025-68613 , another critical flaw addressed on December 20.
According to Pillar Security, exploiting CVE-2026-25049 enables complete compromise of the n8n instance and could be le
Wiz
Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
blogs_wiz·2026-01-22·CVSS 8.7
CVE-2025-55182 [HIGH] Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security: noteworthy incidents, exclusive data, and crucial vulnerabilities. Let’s jump in.
## 🔍 Highlights
React2Shell: Critical RCE Vulnerability in React and Next.js
React2Shell (CVE-2025-55182) is a critical, unauthenticated remote code execution vulnerability rooted in insecure deserialization within the React Server Components (RSC) “Flight” protocol, impacting React 19 and RSC-enabled frameworks, most notably Next.js. The flaw affects default configurations, meaning standard production deployments can be exploited with a single crafted HTTP request and no developer misconfiguration, with exploitation demonstrating near-100% reliability.
Since early December 2025, exploitation has been observed in the wild by multipl
Wiz
CVE-2025-68613 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2025-68613 [CRITICAL] CVE-2025-68613 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68613 :
NixOS vulnerability analysis and mitigation
n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system
Wiz
CVE-2026-27577 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-27577 [CRITICAL] CVE-2026-27577 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27577 :
NixOS vulnerability analysis and mitigation
n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions
https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79https://github.com/n8n-io/n8n/commit/1c933358acef527ff61466e53268b41a04be1000https://github.com/n8n-io/n8n/commit/39a2d1d60edde89674ca96dcbb3eb076ffff6316https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cphttps://www.akamai.com/blog/security-research/2026/feb/zerobot-malware-targets-n8n-automation-platformhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68613
2025-12-19
Published
2026-03-11
Added to CISA KEV
Exploited in the wild