On March 11, 2026, CISA added CVE-2025-68613 to its Known Exploited Vulnerability Catalog. The vulnerability affects n8n (pronounced en-eight-en), a workflow automation platform, and requires authentication. That requirement alone is enough for many to dismiss the issue. Doing so would be a mistake because the KEV entry lacks important context.
There is an authentication bypass. CVE-2025-68613 can be paired with CVE-2026-21858 to achieve unauthenticated remote code execution, as demonstrated in a public proof of concept developed by our prolific friend Chocapikk. These vulnerabilities can be combined across versions from 1.65.0 (October 2024) through 1.121.0 (November 2025), significantly expanding the pool of exploitable targets.
If CVE-2025-68613, a vulnerability that nominally requires authentication, is being exploited in the wild, it is reasonable to assume it is being paired with CVE-2026-21858, which removes that barrier entirely. This is not just missing context in CISA KEV, it points to a second vulnerability that likely deserves its own KEV entry.
We don’t have to assume this chaining is happening. There is clear evidence that CVE-2026-21858 is being exploited in the wild. VulnCheck Canary Intelligence has observed exploitation against n8n canaries, with particularly high volume from 185.177.72.30. Shadowserver and GreyNoise report consistent daily exploitation attempts, and honeypot observations, including from Beelzebub, further confirm in-the-wild activity. Public proof-of-concepts and blog posts demonstrate how the vulnerability can be used in practice.
This activity led to CVE-2026-21858 being added to the VulnCheck KEV on January 9, 2026. In other words, the capability needed to turn CVE-2025-68613 into unauthenticated RCE was already being actively exploited when the CISA KEV entry was created.
The CISA KEV entry also fails to provide context on who is conducting the exploitation. Reporting has linked exploitation of CVE-2025-68613 to MuddyWater (also known as Static Kitten, G0069, and Mango Sandstorm), an Iranian state-sponsored group known for exploiting a wide range of vulnerabilities across internet-facing systems.
Notably, the activity described involves scanning for and exploiting multiple CVEs at scale. In that context, it is unclear how a requirement for valid authentication would be reliably satisfied. This further supports the case that CVE-2025-68613 is unlikely to be exploited as a strictly authenticated vulnerability and that related issues enabling unauthenticated access warrant separate consideration in KEV.
It’s also worth noting that if attackers are using valid credentials to exploit CVE-2025-68613, they would benefit from the fact that the initial patch was bypassed and later addressed as CVE-2026-25049. As shown by Fatih Celik, the original issue can be bypassed in multiple ways, which attackers would likely continue to leverage where possible.
Additionally, CVE-2026-21858 is not limited to pairing with CVE-2025-68613. Other post-authentication vulnerabilities, including CVE-2026-1470, CVE-2026-0863, and CVE-2026-21877, provide additional paths to exploitation once access is obtained.
The common denominator across these scenarios is the ability to bypass authentication entirely. That capability, not any single post-authentication issue, is what should be represented in CISA KEV.
To the point that defenders often deprioritize authenticated issues, our Target Intelligence has scanned the internet and identified over 14,000 exposed endpoints still vulnerable to CVE-2025-68613. With the availability of authentication bypasses and evidence that APT groups like MuddyWater are actively exploiting these systems, patching should be treated as urgent, not optional.
Exposure spans 96 countries, with the majority concentrated in the United States.
Top n8n Installs By Country (March 17, 2026)
Exposed versions are similarly widespread, though many deployments remain on versions released around 1.110.
Top n8n Versions in the Wild (March 17, 2026)
In other words, this is not a niche issue. It is a widely exposed and actively exploited attack surface. That reality is not reflected in CISA KEV, but it is captured in VulnCheck KEV. At a minimum, the authentication bypass enabling these attack paths warrants its own KEV entry.
VulnCheck’s research team tracks real-world exploitation, attacker infrastructure, and exploit workflows using our Canary Intelligence, Exploit & Vulnerability Intelligence (EVI), and IP Intelligence datasets. For more research like this check out our blogs, Frost Checks First, The Mystery OAST Host Behind a Regionally Focused Exploit Operation, and XWiki Under Increased Attack.
Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, Canary Intelligence, and Exploit & Vulnerability Intelligence products.
