Overview
- CISA added CVE-2025-68613 to its Known Exploited Vulnerabilities catalog and directed FCEB agencies to remediate by March 25 under BOD 22-01.
- CVE-2025-68613 is an expression-evaluation remote code execution bug that n8n patched in December 2025 and that enables authenticated attackers to fully compromise affected instances.
- Pillar Security separately detailed critical flaws CVE-2026-27577 and CVE-2026-27493 that enable sandbox escape and unauthenticated expression injection via Form nodes.
- n8n released fixes for the new issues in versions 2.10.1, 2.9.3, and 1.123.22, and warned that attackers could read the N8N_ENCRYPTION_KEY to decrypt stored credentials such as AWS keys and OAuth tokens.
- Internet scans report tens of thousands of exposed or unpatched n8n instances, and administrators are urged to upgrade or apply temporary mitigations such as limiting workflow editing, disabling Form and Merge nodes, using external runners, and hardening deployments.