Top 5 · 2026-03-25 · source-backed
n8n Has Four Critical CVEs, CISA Deadline Is Today, and 71,537 Instances Are Exposed
Story
If you run n8n, stop reading and go patch. Right now.
Pillar Security researcher Eilon Cohen disclosed four critical vulnerabilities in n8n, the open-source workflow automation platform with 181K GitHub stars. The worst one, CVE-2026-27493 (CVSS 9.5), allows unauthenticated expression injection via public Form nodes. An attacker can execute arbitrary shell commands through a public contact form with no authentication. No credentials needed. No user interaction. Just a public n8n form and a POST request.
The other three CVEs are almost as bad. CVE-2026-27577 (CVSS 9.4): expression sandbox escape via an AST rewriter flaw. CVE-2026-27495 (CVSS 9.4): JavaScript Task Runner sandbox code injection. CVE-2026-27497 (CVSS 9.4): Merge node SQL query exploitation. All patched in n8n 2.10.1, 2.9.3, and 1.123.22.
CISA's KEV remediation deadline for the related CVE-2025-68613 is literally today, March 25. There are 71,537 exposed n8n instances observable worldwide. If yours is one of them and you haven't patched, you're running an unauthenticated remote code execution server on the open internet.
I keep seeing this pattern with workflow automation platforms. They're designed to be easy to deploy, which means they often end up exposed without proper network segmentation or authentication hardening. n8n's fair-code license makes it popular with small teams and solo builders who may not have dedicated security staff reviewing CVE lists. The Form node bug is especially concerning because it turns a feature designed for public input into an attack vector. Anyone who set up a public n8n form for lead capture, customer feedback, or intake workflows just handed unauthenticated RCE to the internet.
Patch to 2.10.1 or later. Audit your public-facing n8n forms. If you can't patch immediately, disable all public Form nodes until you can.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / Earlier coverage / Tension
MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth
Both cover Audit, CVE, CVEs, CVSS; overlapping topics (authentication, code, cves, injection); earlier Audit coverage from 2026-03-23.
Shared entities / Same source domain / What happened next
The MCP supply chain has a hole in the floor, and it's being exploited right now
Both cover Audit, CISA, CVE, CVEs; reported by the same outlet (thehackernews.com); picks up the Audit thread on 2026-06-17.
766 Next.js Servers Breached in 24 Hours. CVSS 10.0. Automated Mass Credential Theft.
Both cover Audit, CISA, CVE, CVSS; reported by the same outlet (thehackernews.com); picks up the Audit thread on 2026-04-03.
Shared entities / Shared topic / What happened next
AI-Generated Code CVEs Hit 35 in March. That's 6x January's Count, and the Trend Line Isn't Flattening.
Both cover CVE, CVEs, CVSS, GitHub; overlapping topics (code, cves); picks up the CVE thread on 2026-03-29.
CISA Confirms: Your AI Security Scanner Got Backdoored. Federal Deadline Is April 8.
Both cover Audit, CISA, CVE, CVEs; overlapping topics (code, deadline); picks up the Audit thread on 2026-03-28.
Shared entities / Shared topic / Earlier coverage
The Agent Security Crisis Is Here: 36% of ClawHub Skills Malicious, 30+ MCP CVEs, RCE in Microsoft Agent Framework
Both cover Audit, CVE, CVEs, CVSS; overlapping topics (code, cves); earlier Audit coverage from 2026-03-05.
Shared entities / Shared topic / What happened next
MCP Security Debt Hits Critical Mass: 30+ CVEs in 60 Days, PraisonAI CVSS 10, Azure AI Foundry CVSS 10
Both cover CVE, CVEs, CVSS, SQL; overlapping topics (authentication, cves, cvss, injection); picks up the CVE thread on 2026-04-04.
Shared entities / Shared topic
10 Skills of the Day
Both cover Audit, CISA, CVSS, Form; overlapping topics (code, form).
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — March 25, 2026
- AI generated
- no
- Story unit
- 2026-03-25-n8n-has-four-critical-cves-cisa-deadline-is-today-and-71-537-instances-are-exposed
- Labels
- source-backed, canonical briefing excerpt