CISA has added CVE‑2025-68613 to its Known Exploited Vulnerabilities catalogue, affecting the n8n workflow automation product from vendor n8n. The flaw, named the n8n Improper Control of Dynamically-Managed Code Resources Vulnerability, allows remote code execution through the workflow expression evaluation system.
The vulnerability stems from insufficient validation of user‑supplied data that is dynamically evaluated as code, enabling an attacker to craft a malicious workflow expression that executes arbitrary commands on the host. It carries a CVSS base score of 10.0, rating it as critical, and a security patch is available from the vendor.
Because inclusion in the KEV catalogue indicates confirmed active exploitation, organisations must assume the flaw is being used in the wild; no ransomware campaign has been linked to this CVE to date. CISA has set a remediation deadline of 26 March 2026 for federal civilian executive branch agencies to address the issue.
CISA’s required action is to “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” While the directive binds FCEB agencies, all organisations should review their n8n deployments and apply the available patch or follow the vendor’s mitigation guidance.
For full technical details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-68613 and the CISA KEV catalogue.