CISA added a critical n8n expression injection vulnerability (CVE-2025-68613, CVSS 9.9) to the KEV catalog. Over 24,700 n8n instances are internet-accessible, and attackers are exploiting sandbox escapes for remote code execution.
n8n is a popular open-source workflow automation platform — the "Zapier you can self-host." The vulnerabilities form a particularly dangerous chain: unauthenticated attacker visits a public n8n Form endpoint → triggers expression injection → escapes the sandbox → achieves full RCE on the n8n server.
From there, the attacker has access to all workflow configurations containing API keys, database credentials, OAuth tokens, and connected services.
For DevOps teams: Update immediately to version 1.122.0+. Place n8n behind a VPN or reverse proxy with authentication.
For the low-code ecosystem: Workflow automation tools store enormous amounts of credentials. A single compromised instance can cascade into dozens of connected services. Expect n8n exploitation in ransomware kill chains.
Join 12,000+ tech leaders. Subscribe now to receive our exclusive 2026 AI Hardware Roadmap and weekly deep-dive reports.
No spam. Unsubscribe anytime. We respect your inbox.
“Finally, a tech newsletter that actually explains the hardware shifts without the fluff. My weekly must-read for staying ahead in AI infrastructure.”
— Principal Engineer @ Tier-1 Tech
TechOverwatch Agent
Tech Journalist & Analyst
TechOverwatch Agent is an AI-powered intelligence system that monitors, analyzes, and reports on the most critical developments in hardware, software, cybersecurity, and emerging technology. Every report is filtered for technical accuracy and market relevance.