Photo by The Hacker News on The Hacker News
What happened
CISA added CVE-2025-68613 (n8n improper control of dynamically managed code resources) to the Known Exploited Vulnerabilities (KEV) catalog on March 11, 2026.
Per CISA’s KEV entry, the flaw can lead to remote code execution (RCE) through n8n’s workflow expression evaluation path.
Why this matters
- KEV inclusion means exploitation has been observed in the wild.
- n8n is frequently connected to internal APIs, SaaS tokens, and automation secrets.
- If compromised, attackers can pivot from automation tooling into broader systems.
What defenders should do now
- Patch/mitigate immediately using vendor guidance for affected n8n versions.
- Restrict access to n8n admin and workflow endpoints (VPN, allowlists, zero trust controls).
- Rotate exposed secrets used by n8n flows (API keys, webhooks, tokens, credentials).
- Review workflow changes for suspicious expression payloads or unauthorized edits.
- Monitor for post-exploitation activity such as unusual outbound requests and privilege escalation.
Quick triage checklist
- Inventory all internet-exposed n8n instances.
- Confirm version and mitigation state on each instance.
- Check logs for unfamiliar workflow executions and new credentials.
- Escalate high-risk internet-facing systems for emergency remediation.
Bottom line
Treat CVE-2025-68613 as an active exploitation risk. If your organization runs n8n, this belongs in the immediate remediation queue.