n8n automation platform under active exploitation (multiple RCEs)
Key Questions
What vulnerabilities are affecting the n8n automation platform?
Multiple high-severity remote code execution (RCE) vulnerabilities, including CVE-2025-68613 listed in CISA KEV and CVE-2026-25049 patch bypass, are impacting n8n. These flaws allow attackers to execute arbitrary code on vulnerable instances.
Is the n8n platform under active exploitation?
Yes, these vulnerabilities are actively exploited in the wild, with God Mode scanning detecting over 103,000 vulnerable instances. Proof-of-concept exploits are available, increasing the risk of phishing and other attacks.
What versions should n8n users patch to?
Users should immediately patch to n8n versions 1.123.17 or 2.5.2 and higher. Additionally, rotate credentials and disable unnecessary webhooks to mitigate risks.
How quickly are exploits developed for n8n vulnerabilities?
The zero-day clock has been reduced to hours through AI-assisted exploit development. Trends in 2026 show rapid exploit circulation, such as React2Shell PoC within 30 hours of disclosure.
What trends reinforce the urgency of patching n8n?
2026 exploit trends highlight vulnerability exploits dominating intrusions, with patching delays enabling widespread attacks. Active scanning and exploitation underscore the need for immediate action.
Multiple high-severity n8n RCEs (CVE-2025-68613 CISA KEV; CVE-2026-25049 patch bypass) actively exploited, God Mode scanning 103k vuln instances. ClickFix macOS phishing via fake n8n AI docs to AMOS stealer. Patch to 1.123.17/2.5.2+, credential rotation, webhook disables critical. Zero Day Clock to hours via AI.