Let's be direct about what happened here.
On March 12, CISA added two critical vulnerabilities in n8n to its Known Exploited Vulnerabilities catalog. CVE-2025-68613 scores 9.9. Its companion, CVE-2026-21858 — nicknamed "ni8mare" — scores a perfect 10.0. Both allow unauthenticated remote code execution. No login required. No prior foothold needed.
There are currently 24,700+ n8n instances reachable from the public internet.
The typical RCE narrative goes: patch fast, rotate secrets, move on. But n8n isn't a typical target. Your n8n instance is your agent. It's not just a server — it's the orchestration layer that holds your OpenAI API keys, your Slack tokens, your database credentials, your webhook logic, your automation triggers. It's the thing that reaches into other systems on your behalf, every minute of every day.
Compromising n8n doesn't mean getting a shell. It means getting a shell inside your agent's brain — with access to everything your agent can touch, every integration it manages, every workflow it runs.
This is the threat model that matters for agentic systems: the attack surface isn't just the AI model or the data. It's the infrastructure layer — the orchestrators, the routers, the automation runtimes. n8n is one of the most widely deployed of these. And it just landed in the KEV catalog under active exploitation, with a 10.0 CVE.
If you're running n8n and it's internet-facing, that's a problem today. Patch to the latest version immediately. If you can't patch, pull it off the public internet. This isn't wait-and-see territory — CISA doesn't add things to KEV until exploitation is confirmed.
The broader lesson: when you build agentic infrastructure, every component in the orchestration chain is a trust anchor. Treat it accordingly.