← The Wire

Top 5 · 2026-03-25 · source-backed

n8n Has Four Critical CVEs, CISA Deadline Is Today, and 71,537 Instances Are Exposed

Confidence
source-backed
Sources
1
Redaction
redacted

Story

If you run n8n, stop reading and go patch. Right now.

Pillar Security researcher Eilon Cohen disclosed four critical vulnerabilities in n8n, the open-source workflow automation platform with 181K GitHub stars. The worst one, CVE-2026-27493 (CVSS 9.5), allows unauthenticated expression injection via public Form nodes. An attacker can execute arbitrary shell commands through a public contact form with no authentication. No credentials needed. No user interaction. Just a public n8n form and a POST request.

The other three CVEs are almost as bad. CVE-2026-27577 (CVSS 9.4): expression sandbox escape via an AST rewriter flaw. CVE-2026-27495 (CVSS 9.4): JavaScript Task Runner sandbox code injection. CVE-2026-27497 (CVSS 9.4): Merge node SQL query exploitation. All patched in n8n 2.10.1, 2.9.3, and 1.123.22.

CISA's KEV remediation deadline for the related CVE-2025-68613 is literally today, March 25. There are 71,537 exposed n8n instances observable worldwide. If yours is one of them and you haven't patched, you're running an unauthenticated remote code execution server on the open internet.

I keep seeing this pattern with workflow automation platforms. They're designed to be easy to deploy, which means they often end up exposed without proper network segmentation or authentication hardening. n8n's fair-code license makes it popular with small teams and solo builders who may not have dedicated security staff reviewing CVE lists. The Form node bug is especially concerning because it turns a feature designed for public input into an attack vector. Anyone who set up a public n8n form for lead capture, customer feedback, or intake workflows just handed unauthenticated RCE to the internet.

Patch to 2.10.1 or later. Audit your public-facing n8n forms. If you can't patch immediately, disable all public Form nodes until you can.


Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Shared topic / Earlier coverage / Tension

    MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth

    Both cover Audit, CVE, CVEs, CVSS; overlapping topics (authentication, code, cves, injection); earlier Audit coverage from 2026-03-23.

  2. Shared entities / Same source domain / What happened next

    The MCP supply chain has a hole in the floor, and it's being exploited right now

    Both cover Audit, CISA, CVE, CVEs; reported by the same outlet (thehackernews.com); picks up the Audit thread on 2026-06-17.

  3. 766 Next.js Servers Breached in 24 Hours. CVSS 10.0. Automated Mass Credential Theft.

    Both cover Audit, CISA, CVE, CVSS; reported by the same outlet (thehackernews.com); picks up the Audit thread on 2026-04-03.

  4. Shared entities / Shared topic / What happened next

    AI-Generated Code CVEs Hit 35 in March. That's 6x January's Count, and the Trend Line Isn't Flattening.

    Both cover CVE, CVEs, CVSS, GitHub; overlapping topics (code, cves); picks up the CVE thread on 2026-03-29.

  5. CISA Confirms: Your AI Security Scanner Got Backdoored. Federal Deadline Is April 8.

    Both cover Audit, CISA, CVE, CVEs; overlapping topics (code, deadline); picks up the Audit thread on 2026-03-28.

  6. Shared entities / Shared topic / Earlier coverage

    The Agent Security Crisis Is Here: 36% of ClawHub Skills Malicious, 30+ MCP CVEs, RCE in Microsoft Agent Framework

    Both cover Audit, CVE, CVEs, CVSS; overlapping topics (code, cves); earlier Audit coverage from 2026-03-05.

  7. Shared entities / Shared topic / What happened next

    MCP Security Debt Hits Critical Mass: 30+ CVEs in 60 Days, PraisonAI CVSS 10, Azure AI Foundry CVSS 10

    Both cover CVE, CVEs, CVSS, SQL; overlapping topics (authentication, cves, cvss, injection); picks up the CVE thread on 2026-04-04.

  8. Shared entities / Shared topic

    10 Skills of the Day

    Both cover Audit, CISA, CVSS, Form; overlapping topics (code, form).

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-03-25-n8n-has-four-critical-cves-cisa-deadline-is-today-and-71-537-instances-are-exposed
Labels
source-backed, canonical briefing excerpt