ACCORDING to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), a flaw in n8n has been added to its Known Exploited Vulnerabilities (KEV) catalog, tracked as CVE-2025-68613 with a CVSS score of 10.0. n8n is a workflow automation platform that supports more than 400 integrations and includes native AI features, with a fair-code license that lets organisations build automations while retaining data control.
The vulnerability, first warned about in December 2025, could allow an authenticated attacker to execute arbitrary code with the privileges of the n8n process, potentially leading to full compromise of the affected instance and exposure or modification of data. Patches are available in versions 1.120.4, 1.121.1, and 1.122.0; users are urged to upgrade, or, if patching isn’t possible, to restrict workflow creation and editing to trusted users and run n8n in a hardened environment. CISA orders federal agencies to fix the vulnerability by 25 March 2026 under Binding Operational Directive 22-01.