CVE-2025-68613 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

CVE-2025-68613 is a CVSS 8.8 RCE in n8n, actively exploited in the wild (CISA KEV, Zerobot malware campaign) and requires only low-privilege authentication — patch to 1.120.4/1.121.1/1.122.0 immediately. If n8n is part of your AI agent infrastructure, assume credential compromise: rotate all API keys, LLM tokens, and integration secrets stored in the platform. Any n8n instance accessible from the internet with multi-user access must be treated as breached until patched.

Risk Assessment

Critical operational risk for organizations using n8n in AI agent pipelines or automation workflows. CVSS 8.8 with network-accessible attack vector and low privilege requirement means any authenticated user — including trial accounts or compromised internal accounts — can achieve full instance compromise. CISA KEV inclusion and a documented Zerobot malware campaign confirm active exploitation at scale. Risk is amplified in AI contexts because n8n instances typically hold credentials for LLM APIs (OpenAI, Anthropic), vector databases, cloud storage, and SaaS integrations — a single compromise cascades across the entire AI stack. Exploitation complexity is low; no specialized AI/ML knowledge required.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
186.5K OpenSSF 6.0 16 dependents Pushed 7d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

81.7%

chance of exploitation in 30 days

Higher than 99% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

CISA KEV

Sophistication

Trivial

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed) — Mar 2026

✓ CISA SSVC: Active exploitation

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 82%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

7 steps

PATCH IMMEDIATELY

Upgrade to n8n 1.120.4, 1.121.1, or 1.122.0. This is the only complete fix.
If patching is blocked: restrict workflow creation/editing to fully trusted users only and isolate n8n behind VPN or internal network — remove all public internet exposure.
Rotate all credentials stored in n8n (LLM API keys, database passwords, OAuth tokens, webhook secrets) regardless of whether compromise is confirmed.
Audit workflow modification history for unauthorized changes, particularly any new HTTP Request nodes, Execute Command nodes, or newly created credentials.
Deploy n8n in a hardened container with restricted OS privileges (non-root, read-only filesystem where possible, egress firewall rules).
Detection: Monitor for unusual n8n process spawning child processes (bash, sh, cmd), unexpected outbound connections from the n8n host, and new workflow creation by non-admin users. Alert on access to /etc/passwd, SSH key directories, or credential files from the n8n process.
Check n8n logs for expression payloads containing process execution patterns (child_process, exec, spawn, eval).

CISA SSVC Assessment

Decision Act

Exploitation active

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Data Extraction Agent Framework Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0105 - Escape to Host AML.T0108 - AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.4 - AI risk assessment A.6.2 - AI system roles and responsibilities A.9.2 - Information security in AI system development and operation A.9.7 - Information security in AI system operations

NIST AI RMF

GOVERN 1.2 - Policies and processes related to AI risk are established GOVERN 6.1 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms to sustain AI risk management are planned

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling LLM06 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-68613?

CVE-2025-68613 is a CVSS 8.8 RCE in n8n, actively exploited in the wild (CISA KEV, Zerobot malware campaign) and requires only low-privilege authentication — patch to 1.120.4/1.121.1/1.122.0 immediately. If n8n is part of your AI agent infrastructure, assume credential compromise: rotate all API keys, LLM tokens, and integration secrets stored in the platform. Any n8n instance accessible from the internet with multi-user access must be treated as breached until patched.

Is CVE-2025-68613 actively exploited?

Yes, CVE-2025-68613 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog since Wed Mar 11 2026 00:00:00 GMT+0000 (Coordinated Universal Time).

How to fix CVE-2025-68613?

1. PATCH IMMEDIATELY: Upgrade to n8n 1.120.4, 1.121.1, or 1.122.0. This is the only complete fix. 2. If patching is blocked: restrict workflow creation/editing to fully trusted users only and isolate n8n behind VPN or internal network — remove all public internet exposure. 3. Rotate all credentials stored in n8n (LLM API keys, database passwords, OAuth tokens, webhook secrets) regardless of whether compromise is confirmed. 4. Audit workflow modification history for unauthorized changes, particularly any new HTTP Request nodes, Execute Command nodes, or newly created credentials. 5. Deploy n8n in a hardened container with restricted OS privileges (non-root, read-only filesystem where possible, egress firewall rules). 6. Detection: Monitor for unusual n8n process spawning child processes (bash, sh, cmd), unexpected outbound connections from the n8n host, and new workflow creation by non-admin users. Alert on access to /etc/passwd, SSH key directories, or credential files from the n8n process. 7. Check n8n logs for expression payloads containing process execution patterns (child_process, exec, spawn, eval).

What systems are affected by CVE-2025-68613?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM integration platforms, RAG pipelines, AI workflow automation, model serving.

What is the CVSS score for CVE-2025-68613?

CVE-2025-68613 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 81.68%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

Exploitation Scenario

Attacker obtains low-privilege n8n credentials via phishing, credential stuffing, or purchasing them on darknet markets (n8n is widely deployed as a SaaS-style internal tool). They create a new workflow containing a malicious expression — e.g., in a Function node or expression field — that abuses CWE-913 (improper control of dynamically-managed code resources) to break out of the expression sandbox and execute OS commands. With the privileges of the n8n process, they execute a reverse shell, establish persistence, and immediately target n8n's encrypted credential store. They exfiltrate all stored API keys (OpenAI, Anthropic, AWS, Slack, GitHub, etc.), then modify existing AI agent workflows to silently forward all processed data to an attacker-controlled endpoint. In the Zerobot campaign context, they also enroll the host in a botnet for cryptomining or DDoS operations. The entire attack chain from initial access to full AI pipeline compromise takes under 10 minutes.