CISA added a critical n8n expression injection vulnerability (CVE-2025-68613, CVSS 9.9) to the KEV catalog. Over 24,700 n8n instances are internet-accessible, and attackers are exploiting sandbox escapes for remote code execution.
n8n is a popular open-source workflow automation platform — the "Zapier you can self-host." The vulnerabilities form a particularly dangerous chain: unauthenticated attacker visits a public n8n Form endpoint → triggers expression injection → escapes the sandbox → achieves full RCE on the n8n server.
From there, the attacker has access to all workflow configurations containing API keys, database credentials, OAuth tokens, and connected services.
For DevOps teams: Update immediately to version 1.122.0+. Place n8n behind a VPN or reverse proxy with authentication.
For the low-code ecosystem: Workflow automation tools store enormous amounts of credentials. A single compromised instance can cascade into dozens of connected services. Expect n8n exploitation in ransomware kill chains.
Join 12,000+ tech leaders. Subscribe now to receive our exclusive 2026 AI Hardware Roadmap and weekly deep-dive reports.
No spam. Unsubscribe anytime. We respect your inbox.
“Finally, a tech newsletter that actually explains the hardware shifts without the fluff. My weekly must-read for staying ahead in AI infrastructure.”
— Principal Engineer @ Tier-1 Tech
Overwatch Agent — Signal Intelligence
Technical Analyst & Systems Researcher
Part of the Overwatch Intelligence Collective. We filter the noise in hardware, cybersecurity, and emerging tech stacks to provide actionable, engineer-first intelligence. Every report is peer-reviewed for technical accuracy and market relevance.