AI Threat Alert

CVE-2025-68613: n8n: security flaw enables exploitation

HIGH ACTIVELY EXPLOITED PoC AVAILABLE NUCLEI TEMPLATE CISA: ACT
Published December 19, 2025
CISO Take

CVE-2025-68613 is a CVSS 8.8 RCE in n8n, actively exploited in the wild (CISA KEV, Zerobot malware campaign) and requires only low-privilege authentication — patch to 1.120.4/1.121.1/1.122.0 immediately. If n8n is part of your AI agent infrastructure, assume credential compromise: rotate all API keys, LLM tokens, and integration secrets stored in the platform. Any n8n instance accessible from the internet with multi-user access must be treated as breached until patched.

What is the risk?

Critical operational risk for organizations using n8n in AI agent pipelines or automation workflows. CVSS 8.8 with network-accessible attack vector and low privilege requirement means any authenticated user — including trial accounts or compromised internal accounts — can achieve full instance compromise. CISA KEV inclusion and a documented Zerobot malware campaign confirm active exploitation at scale. Risk is amplified in AI contexts because n8n instances typically hold credentials for LLM APIs (OpenAI, Anthropic), vector databases, cloud storage, and SaaS integrations — a single compromise cascades across the entire AI stack. Exploitation complexity is low; no specialized AI/ML knowledge required.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
98.0%
chance of exploitation in 30 days
Higher than 100% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Actively Exploited
CISA KEV
Sophistication
Trivial
Exploitation Confidence
high
CISA KEV (active exploitation confirmed) — Mar 2026
CISA SSVC: Active exploitation
Weaponized Metasploit module (exploit/multi/http/n8n_workflow_expression_rce)
Nuclei detection template available
EPSS exploit prediction: 98%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

7 steps

  1. PATCH IMMEDIATELY

    Upgrade to n8n 1.120.4, 1.121.1, or 1.122.0. This is the only complete fix.

  2. If patching is blocked: restrict workflow creation/editing to fully trusted users only and isolate n8n behind VPN or internal network — remove all public internet exposure.

  3. Rotate all credentials stored in n8n (LLM API keys, database passwords, OAuth tokens, webhook secrets) regardless of whether compromise is confirmed.

  4. Audit workflow modification history for unauthorized changes, particularly any new HTTP Request nodes, Execute Command nodes, or newly created credentials.

  5. Deploy n8n in a hardened container with restricted OS privileges (non-root, read-only filesystem where possible, egress firewall rules).

  6. Detection: Monitor for unusual n8n process spawning child processes (bash, sh, cmd), unexpected outbound connections from the n8n host, and new workflow creation by non-admin users. Alert on access to /etc/passwd, SSH key directories, or credential files from the n8n process.

  7. Check n8n logs for expression payloads containing process execution patterns (child_process, exec, spawn, eval).

What does CISA's SSVC say?

Decision Act
Exploitation active
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Data Extraction Agent Framework Plugin AML.T0012 AML.T0049 AML.T0050 AML.T0053 AML.T0072 AML.T0081 AML.T0083 AML.T0105 AML.T0108

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.4 - AI risk assessment A.6.2 - AI system roles and responsibilities A.9.2 - Information security in AI system development and operation A.9.7 - Information security in AI system operations
NIST AI RMF
GOVERN 1.2 - Policies and processes related to AI risk are established GOVERN 6.1 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms to sustain AI risk management are planned
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling LLM06 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-68613?

CVE-2025-68613 is a CVSS 8.8 RCE in n8n, actively exploited in the wild (CISA KEV, Zerobot malware campaign) and requires only low-privilege authentication — patch to 1.120.4/1.121.1/1.122.0 immediately. If n8n is part of your AI agent infrastructure, assume credential compromise: rotate all API keys, LLM tokens, and integration secrets stored in the platform. Any n8n instance accessible from the internet with multi-user access must be treated as breached until patched.

Is CVE-2025-68613 actively exploited?

Yes, CVE-2025-68613 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog since Wed Mar 11 2026 00:00:00 GMT+0000 (Coordinated Universal Time).

How to fix CVE-2025-68613?

1. PATCH IMMEDIATELY: Upgrade to n8n 1.120.4, 1.121.1, or 1.122.0. This is the only complete fix. 2. If patching is blocked: restrict workflow creation/editing to fully trusted users only and isolate n8n behind VPN or internal network — remove all public internet exposure. 3. Rotate all credentials stored in n8n (LLM API keys, database passwords, OAuth tokens, webhook secrets) regardless of whether compromise is confirmed. 4. Audit workflow modification history for unauthorized changes, particularly any new HTTP Request nodes, Execute Command nodes, or newly created credentials. 5. Deploy n8n in a hardened container with restricted OS privileges (non-root, read-only filesystem where possible, egress firewall rules). 6. Detection: Monitor for unusual n8n process spawning child processes (bash, sh, cmd), unexpected outbound connections from the n8n host, and new workflow creation by non-admin users. Alert on access to /etc/passwd, SSH key directories, or credential files from the n8n process. 7. Check n8n logs for expression payloads containing process execution patterns (child_process, exec, spawn, eval).

What systems are affected by CVE-2025-68613?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM integration platforms, RAG pipelines, AI workflow automation, model serving.

What is the CVSS score for CVE-2025-68613?

CVE-2025-68613 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 98.01%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM integration platformsRAG pipelinesAI workflow automationmodel serving

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration
AML.T0105 Escape to Host
AML.T0108 AI Agent

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9, Article 15, Article 9
ISO 42001: A.6.1.4, A.6.2, A.9.2, A.9.7
NIST AI RMF: GOVERN 1.2, GOVERN 6.1, MANAGE 2.2
OWASP LLM Top 10: LLM05:2025, LLM06, LLM06:2025, LLM08

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

Exploitation Scenario

Attacker obtains low-privilege n8n credentials via phishing, credential stuffing, or purchasing them on darknet markets (n8n is widely deployed as a SaaS-style internal tool). They create a new workflow containing a malicious expression — e.g., in a Function node or expression field — that abuses CWE-913 (improper control of dynamically-managed code resources) to break out of the expression sandbox and execute OS commands. With the privileges of the n8n process, they execute a reverse shell, establish persistence, and immediately target n8n's encrypted credential store. They exfiltrate all stored API keys (OpenAI, Anthropic, AWS, Slack, GitHub, etc.), then modify existing AI agent workflows to silently forward all processed data to an attacker-controlled endpoint. In the Zerobot campaign context, they also enroll the host in a botnet for cryptomining or DDoS operations. The entire attack chain from initial access to full AI pipeline compromise takes under 10 minutes.

Weaknesses (CWE)

CWE-913 Improper Control of Dynamically-Managed Code Resources Primary CWE-913 Improper Control of Dynamically-Managed Code Resources

CWE-913 — Improper Control of Dynamically-Managed Code Resources: The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

  • [Implementation] For any externally-influenced input, check the input against an allowlist of acceptable values.
  • [Implementation, Architecture and Design] Refactor the code so that it does not need to be dynamically managed.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
December 19, 2025
Last Modified
March 11, 2026
First Seen
December 19, 2025

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2025/CVE-2025-68613.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed