{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/n8n/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["critical"],"_cs_tags":["rce","prototype pollution","n8n"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-42232, exists within the n8n workflow automation tool. This flaw allows an authenticated user, who possesses permissions to create or modify workflows, to achieve remote code execution (RCE). The attack vector involves exploiting global prototype pollution through the XML Node. Versions affected include those prior to 1.123.32, versions 2.17.0 up to but not including 2.17.4, and versions 2.18.0 up to but not including 2.18.1. Defenders should prioritize patching n8n instances due to the high potential for complete system compromise if exploited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to an n8n instance with workflow creation/modification privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious workflow that leverages the XML Node to inject a payload designed to trigger prototype pollution.\u003c/li\u003e\n\u003cli\u003eThe crafted XML node manipulates global object prototypes within the n8n application.\u003c/li\u003e\n\u003cli\u003eThe attacker introduces a property into a global object prototype that can be exploited by another node.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a secondary node (e.g., Function node) that leverages the polluted prototype property.\u003c/li\u003e\n\u003cli\u003eThe secondary node\u0026rsquo;s execution triggers the polluted prototype, leading to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the n8n server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control of the n8n server, potentially leading to data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the n8n server. This can lead to full system compromise, including data exfiltration, credential theft, and lateral movement within the network. Given the nature of n8n as an automation platform, successful attacks can severely impact connected systems and services. This vulnerability affects n8n users who have not upgraded to patched versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 1.123.32, 2.17.4, 2.18.1, or later to remediate CVE-2026-42232.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, limit workflow creation and editing permissions to only fully trusted users as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, disable the XML node by adding \u003ccode\u003en8n-nodes-base.xml\u003c/code\u003e to the \u003ccode\u003eNODES_EXCLUDE\u003c/code\u003e environment variable as suggested in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:25:53Z","date_published":"2026-04-29T21:25:53Z","id":"/briefs/2024-01-n8n-rce/","summary":"A vulnerability in n8n allows authenticated users with workflow creation permissions to achieve remote code execution (RCE) through global prototype pollution via the XML Node in versions prior to 1.123.32, versions 2.17.0 to 2.17.4, and versions 2.18.0 to 2.18.1.","title":"n8n XML Node Prototype Pollution Leading to RCE","url":"https://feed.craftedsignal.io/briefs/2024-01-n8n-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["high"],"_cs_tags":["xss","oauth","n8n","CVE-2026-42235"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003en8n, a workflow automation platform, is susceptible to a cross-site scripting (XSS) vulnerability (CVE-2026-42235) related to the registration of malicious MCP OAuth clients. An unauthenticated attacker can register an OAuth client with a crafted \u003ccode\u003eclient_name\u003c/code\u003e containing malicious JavaScript. This vulnerability exists in versions prior to 2.14.2 and also affects versions 2.17.0 to 2.17.3 and 2.18.0. A successful exploit allows the attacker to execute arbitrary JavaScript within a victim\u0026rsquo;s authenticated n8n session, potentially leading to credential theft, session token theft, workflow manipulation, or privilege escalation. Defenders should prioritize patching to version 2.14.2 or later to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker registers a malicious MCP OAuth client with a crafted \u003ccode\u003eclient_name\u003c/code\u003e containing XSS payload.\u003c/li\u003e\n\u003cli\u003eA victim user navigates to the n8n instance and is presented with the malicious OAuth consent dialog.\u003c/li\u003e\n\u003cli\u003eThe victim user authorizes the malicious OAuth client, unknowingly injecting the attacker\u0026rsquo;s script into their session.\u003c/li\u003e\n\u003cli\u003eA second user, possibly an administrator, revokes the OAuth access granted to the malicious client.\u003c/li\u003e\n\u003cli\u003eThis revocation triggers a toast notification to the original victim user.\u003c/li\u003e\n\u003cli\u003eThe toast notification renders the attacker\u0026rsquo;s injected script from the crafted \u003ccode\u003eclient_name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim user clicks on the link within the toast notification.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript executes within the victim\u0026rsquo;s authenticated n8n browser session, enabling the attacker to perform malicious actions such as stealing credentials, manipulating workflows, or escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability can lead to significant compromise of an n8n instance. Attackers can steal user credentials and session tokens, allowing them to impersonate legitimate users. Malicious actors could also modify or create workflows, leading to data breaches, system disruption, or unauthorized access. Privilege escalation is also possible, potentially granting attackers administrative control over the n8n platform. The number of potential victims depends on the exposure and user base of the vulnerable n8n instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 2.14.2 or later to patch CVE-2026-42235, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious n8n MCP OAuth Client Registration\u003c/code\u003e to identify attempts to register OAuth clients with suspicious names.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not feasible, restrict access to the n8n instance and the MCP OAuth registration endpoint to trusted users only, as suggested in the advisory\u0026rsquo;s workaround.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:25:44Z","date_published":"2026-04-29T21:25:44Z","id":"/briefs/2026-05-n8n-xss-oauth/","summary":"n8n is vulnerable to cross-site scripting (XSS) via a malicious MCP OAuth client, allowing an unauthenticated attacker to inject arbitrary JavaScript into an authenticated user's session.","title":"n8n MCP OAuth Client XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-n8n-xss-oauth/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["critical"],"_cs_tags":["prototype-pollution","rce","n8n"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA critical vulnerability exists within the n8n workflow automation platform, specifically affecting the parsing of XML request bodies in webhook handlers. This flaw stems from the use of the \u003ccode\u003exml2js\u003c/code\u003e library, which is susceptible to prototype pollution attacks. An authenticated user possessing the capability to create or modify workflows can leverage this vulnerability by sending a specially crafted XML payload. Successful exploitation results in the pollution of the JavaScript object prototype. Attackers can chain this pollution with the Git node\u0026rsquo;s SSH operations to achieve arbitrary remote code execution (RCE) on the underlying n8n host. The vulnerability affects n8n versions prior to 1.123.32, versions 2.17.0 to 2.17.3, and versions 2.18.0 to 2.18.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the n8n instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XML payload designed to exploit the prototype pollution vulnerability in the \u003ccode\u003exml2js\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a workflow containing a webhook node configured to receive XML data.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted XML payload to the webhook endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003exml2js\u003c/code\u003e library parses the malicious XML, inadvertently polluting the JavaScript object prototype with attacker-controlled properties.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a Git node in the workflow.\u003c/li\u003e\n\u003cli\u003eThe polluted prototype modifies the behavior of the Git node\u0026rsquo;s SSH operations.\u003c/li\u003e\n\u003cli\u003eWhen the workflow executes, the Git node\u0026rsquo;s SSH operation is hijacked due to the prototype pollution, leading to arbitrary code execution on the n8n host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows a malicious actor to execute arbitrary code on the n8n server. This grants them complete control over the n8n instance and potentially the underlying infrastructure. The vulnerability impacts any n8n instance accessible to authenticated users who can create or modify workflows. The number of affected installations is unknown, but the potential impact is high due to the sensitive nature of workflows often managed by n8n, which can include access to other systems and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 1.123.32, 2.17.4, 2.18.1, or later to patch the vulnerability as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect n8n Prototype Pollution via Crafted XML Payload\u0026rdquo; to detect malicious XML payloads targeting the vulnerability. Enable webserver logs to activate this rule.\u003c/li\u003e\n\u003cli\u003eLimit workflow creation and editing permissions to trusted users to mitigate the risk of exploitation, as described in the workaround.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:25:02Z","date_published":"2026-04-29T21:25:02Z","id":"/briefs/2026-04-n8n-rce/","summary":"A prototype pollution vulnerability in n8n's XML webhook parser, exploitable by authenticated users, can lead to remote code execution on the n8n host.","title":"n8n Prototype Pollution in XML Webhook Body Parser Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-39974"}],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["critical"],"_cs_tags":["n8n","vulnerability","sqli","xss","rce","session-hijacking"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in n8n, a workflow automation tool. An attacker exploiting these vulnerabilities could achieve a range of malicious outcomes, including remote code execution, security bypass, information disclosure, SQL injection, denial-of-service, cross-site scripting (XSS), malicious redirection, and session hijacking. The vulnerabilities stem from insufficient input validation, insecure configurations, or design flaws within the n8n application. Successful exploitation can lead to complete compromise of the n8n instance and potentially the underlying system, depending on the permissions of the n8n process. This poses a significant risk to organizations relying on n8n for critical business processes. Defenders need to implement robust security measures to mitigate these risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the broad range of potential vulnerabilities, a generalized attack chain is outlined below:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies a vulnerable n8n instance, potentially through Shodan or similar tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification:\u003c/strong\u003e The attacker probes the n8n instance to identify specific exploitable vulnerabilities, such as those related to SQL injection or XSS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation (SQL Injection):\u003c/strong\u003e The attacker crafts malicious SQL queries through user input fields or API calls to extract sensitive data from the n8n database, such as user credentials or API keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation (XSS):\u003c/strong\u003e The attacker injects malicious JavaScript code into n8n workflows or data fields. When other users interact with the affected workflows or data, the JavaScript code executes in their browsers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement:\u003c/strong\u003e The attacker leverages the compromised credentials or XSS vulnerabilities to gain elevated privileges within the n8n instance or move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution:\u003c/strong\u003e The attacker exploits a vulnerability that allows for the execution of arbitrary code on the server. This could be achieved through insecure file uploads, deserialization flaws, or command injection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by creating new n8n workflows or modifying existing ones to execute malicious code on a recurring basis.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker exfiltrates sensitive data, disrupts critical business processes by manipulating or deleting workflows, or uses the compromised system as a foothold for further attacks within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could result in significant damage, depending on the attacker\u0026rsquo;s objectives. The potential impact includes data breaches, financial losses, service disruptions, and reputational damage. If sensitive data is exfiltrated, it could be used for identity theft, fraud, or other malicious purposes. Disruption of critical workflows can lead to business downtime and lost productivity. The lack of specific victim counts or sector targeting in the source data makes it difficult to quantify the impact precisely, but the broad range of potential vulnerabilities and their potential consequences warrant immediate attention.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rules to detect potential exploitation attempts targeting n8n instances (see \u0026ldquo;Descriptive Detection Rule Name\u0026rdquo; in the \u003ccode\u003erules\u003c/code\u003e section).\u003c/li\u003e\n\u003cli\u003eConduct regular security audits and penetration testing of n8n instances to identify and remediate vulnerabilities before they can be exploited.\u003c/li\u003e\n\u003cli\u003eEnforce strict input validation and sanitization measures to prevent SQL injection and XSS attacks.\u003c/li\u003e\n\u003cli\u003eApply the principle of least privilege to limit the permissions of the n8n process and users.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity related to n8n instances, such as unusual API calls or connections to malicious domains.\u003c/li\u003e\n\u003cli\u003eRegularly review and update n8n workflows to ensure they are secure and do not contain any malicious code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T10:23:56Z","date_published":"2026-04-23T10:23:56Z","id":"/briefs/2026-04-n8n-multiple-vulnerabilities/","summary":"Multiple vulnerabilities in n8n can be exploited by an attacker to execute arbitrary code, bypass security measures, disclose sensitive information, conduct SQL injection attacks, cause denial-of-service, perform cross-site scripting, redirect users, or hijack sessions.","title":"Multiple Vulnerabilities in n8n Workflow Automation Tool","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-multiple-vulnerabilities/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["n8n","phishing","malware","workflow-automation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCisco Talos has observed a surge in the abuse of agentic AI workflow automation platforms, specifically n8n, in phishing campaigns between October 2025 and March 2026. Attackers are leveraging the trusted infrastructure of n8n to bypass traditional security filters and deliver malware or fingerprint devices. This involves embedding n8n webhook URLs in phishing emails, which redirect victims to malicious content served through the n8n platform. This technique effectively turns a productivity tool into a delivery mechanism for persistent remote access, highlighting the evolving tactics of threat actors exploiting legitimate services. Talos observed a 686% increase in emails containing n8n webhook URLs between January 2025 and March 2026, indicating the growing prevalence of this attack vector.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a phishing email containing a malicious link.\u003c/li\u003e\n\u003cli\u003eThe link is an n8n webhook URL pointing to a workflow controlled by the attacker on a subdomain of \u003ccode\u003etti.app.n8n[.]cloud\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim receives the email and clicks the embedded n8n webhook URL, believing it to be a legitimate service.\u003c/li\u003e\n\u003cli\u003eClicking the link redirects the victim\u0026rsquo;s browser to the n8n platform, which triggers the pre-configured workflow.\u003c/li\u003e\n\u003cli\u003eThe n8n workflow serves an HTML page containing a CAPTCHA to the victim\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eAfter the victim completes the CAPTCHA, the webpage presents a download button, concealing the true source of the payload.\u003c/li\u003e\n\u003cli\u003eClicking the download button initiates the download of a malicious executable (e.g., \u0026ldquo;DownloadedOneDriveDocument.exe\u0026rdquo;) from an external host.\u003c/li\u003e\n\u003cli\u003eThe executable installs a modified version of Datto RMM, establishes a connection to a relay on \u003ccode\u003ecentrastage[.]net\u003c/code\u003e, granting the attacker remote access and control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe abuse of n8n for malware delivery and device fingerprinting can lead to significant compromise of targeted systems. Successful exploitation allows attackers to gain remote access via tools like the modified Datto RMM, enabling them to steal sensitive data, deploy ransomware, or conduct further malicious activities within the compromised network. The rise in n8n webhook URL usage in phishing emails, with a 686% increase in volume from January 2025 to March 2026, indicates a potentially widespread impact across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor email traffic for URLs containing \u003ccode\u003etti.app.n8n[.]cloud\u003c/code\u003e and flag them as suspicious (IOC table).\u003c/li\u003e\n\u003cli\u003eImplement a detection rule to identify network connections to \u003ccode\u003ecentrastage[.]net\u003c/code\u003e initiated by unusual processes (Sigma rule below).\u003c/li\u003e\n\u003cli\u003eInspect process creation events for the execution of \u0026ldquo;DownloadedOneDriveDocument.exe\u0026rdquo; or similar filenames downloaded from n8n domains (Sigma rule below).\u003c/li\u003e\n\u003cli\u003eBlock the domains \u003ccode\u003etti.app.n8n[.]cloud\u003c/code\u003e and \u003ccode\u003ecentrastage[.]net\u003c/code\u003e at the DNS resolver (IOC table).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T10:03:05Z","date_published":"2026-04-15T10:03:05Z","id":"/briefs/2026-04-n8n-abuse/","summary":"Threat actors are abusing the n8n AI workflow automation platform to deliver malware and fingerprint devices via phishing campaigns, bypassing traditional security filters by leveraging trusted infrastructure.","title":"n8n AI Workflow Automation Platform Abused for Malware Delivery and Device Fingerprinting","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["n8n","vulnerability","rce","sqli","code-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple critical vulnerabilities have been discovered in n8n, an extendable, node-based workflow automation tool used for connecting SaaS applications and automating complex business logic. These vulnerabilities, identified as CVE-2026-33696, CVE-2026-33660, and CVE-2026-33713, can be exploited by authenticated users. Successful exploitation allows for remote code execution on the host system, reading sensitive local files, and performing unauthorized database operations. The vulnerabilities affect the XML, GSuiteAdmin, and Merge nodes, as well as the Data Table Get node. These flaws represent a critical threat to the confidentiality and integrity of n8n deployments. The Centre for Cybersecurity Belgium (CCB) strongly recommends immediate patching.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to an n8n instance.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-33696, the attacker crafts a malicious request targeting the XML or GSuiteAdmin node to write values to Object.prototype.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-33660, the attacker uses the Merge node with the \u0026ldquo;Combine by SQL\u0026rdquo; mode and exploits the AlaSQL sandbox escape to inject arbitrary code.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-33713, the attacker crafts a malicious SQL query via the Data Table Get node.\u003c/li\u003e\n\u003cli\u003eThe injected code or SQL commands are executed by the n8n server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to read sensitive files from the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the host, leading to full remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized operations in the database, potentially modifying or deleting data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows an attacker to gain full remote code execution on the n8n host system, potentially compromising the entire server infrastructure. The attacker can also read sensitive local files, potentially exposing credentials and configuration data. In PostgreSQL deployments, the attacker can modify and delete data due to multi-statement execution capabilities via SQL injection (CVE-2026-33713). This can lead to significant data loss and disruption of services relying on the n8n platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch n8n instances to the latest version to address CVE-2026-33696, CVE-2026-33660, and CVE-2026-33713 (reference: CCB advisory).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rules to detect potential exploitation attempts in your n8n environment.\u003c/li\u003e\n\u003cli\u003eMonitor n8n logs for suspicious SQL queries and code execution patterns, focusing on the Data Table Get and Merge nodes (reference: CVE-2026-33713 and CVE-2026-33660 descriptions).\u003c/li\u003e\n\u003cli\u003eReview n8n access controls and ensure the principle of least privilege to minimize the impact of potential exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T09:40:27Z","date_published":"2026-03-27T09:40:27Z","id":"/briefs/2026-03-n8n-vulns/","summary":"Multiple critical vulnerabilities in n8n, including prototype pollution, code injection, and SQL injection, allow authenticated users to achieve remote code execution, read sensitive files, and perform unauthorized database operations.","title":"Critical Vulnerabilities in n8n Workflow Automation Tool","url":"https://feed.craftedsignal.io/briefs/2026-03-n8n-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["n8n","prototype-pollution","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical prototype pollution vulnerability (CVE-2026-33696) exists within the GSuiteAdmin node of n8n, a workflow automation platform. This flaw enables an authenticated user, possessing the ability to create or modify workflows, to inject arbitrary values into the \u003ccode\u003eObject.prototype\u003c/code\u003e. By crafting malicious parameters during node configuration, an attacker can effectively overwrite properties of the base JavaScript object. Successful exploitation leads to remote code execution (RCE) on the n8n instance, potentially compromising sensitive data and systems. The vulnerability affects n8n versions prior to 2.14.1, 2.13.3, and 1.123.27. Defenders should prioritize upgrading n8n instances to patched versions to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to an n8n instance with permissions to create or modify workflows.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious workflow that includes a GSuiteAdmin node.\u003c/li\u003e\n\u003cli\u003eWithin the GSuiteAdmin node\u0026rsquo;s configuration, the attacker injects a specially crafted parameter designed to trigger prototype pollution.\u003c/li\u003e\n\u003cli\u003eThe crafted parameter manipulates the \u003ccode\u003eObject.prototype\u003c/code\u003e by assigning attacker-controlled values.\u003c/li\u003e\n\u003cli\u003eThe n8n application processes the workflow, executing the GSuiteAdmin node with the polluted prototype.\u003c/li\u003e\n\u003cli\u003eThe prototype pollution leads to the execution of arbitrary code within the n8n instance\u0026rsquo;s context.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the n8n instance, enabling further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker can now use the compromised instance to access sensitive data, pivot to other systems, or deploy further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve remote code execution on the n8n instance. This grants the attacker complete control over the application and the underlying server. Potential consequences include data theft, deployment of ransomware, lateral movement to other systems within the network, and disruption of critical business processes automated by n8n workflows. The number of affected organizations depends on the prevalence of vulnerable n8n instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to versions 2.14.1, 2.13.3, or 1.123.27 or later to patch CVE-2026-33696.\u003c/li\u003e\n\u003cli\u003eLimit workflow creation and editing permissions to fully trusted users only, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDisable the XML node by adding \u003ccode\u003en8n-nodes-base.xml\u003c/code\u003e to the \u003ccode\u003eNODES_EXCLUDE\u003c/code\u003e environment variable, as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T16:41:01Z","date_published":"2026-03-26T16:41:01Z","id":"/briefs/2024-01-30-n8n-rce/","summary":"A prototype pollution vulnerability in the n8n GSuiteAdmin node allows authenticated users with workflow creation/modification permissions to achieve remote code execution (RCE) by injecting attacker-controlled values into `Object.prototype`.","title":"n8n Prototype Pollution Vulnerability Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-30-n8n-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["n8n","rce","alaqsl","injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical remote code execution vulnerability has been identified in n8n, a popular workflow automation tool. Specifically, the vulnerability resides within the Merge node\u0026rsquo;s \u0026ldquo;Combine by SQL\u0026rdquo; mode. Versions of n8n prior to 2.14.1, 2.13.3, and 1.123.27 are affected. An authenticated user with the ability to create or modify workflows can leverage the AlaSQL sandbox\u0026rsquo;s insufficient input sanitization to inject malicious SQL code. This allows the attacker to potentially read arbitrary local files from the n8n host or execute arbitrary commands, leading to full system compromise. This vulnerability poses a significant risk to organizations using n8n, as it allows attackers to gain unauthorized access and control over their systems and data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the n8n instance with user account having workflow creation/modification permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies an existing workflow.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a Merge node to the workflow and sets its mode to \u0026ldquo;Combine by SQL\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL query within the Merge node\u0026rsquo;s SQL configuration, taking advantage of insufficient input validation in the AlaSQL sandbox. The SQL query may attempt to read sensitive files from the file system, for example, \u003ccode\u003e/etc/passwd\u003c/code\u003e or application configuration files.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL query executes when the workflow is triggered, potentially reading files from the n8n server.\u003c/li\u003e\n\u003cli\u003eAlternatively, the malicious SQL query could execute commands via the \u003ccode\u003eSYSTEM\u003c/code\u003e function or other methods available through AlaSQL, leading to remote code execution on the n8n host.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains control of the n8n process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised n8n instance to pivot to other systems on the network, steal sensitive data, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the n8n server. This can lead to complete system compromise, including the ability to steal sensitive data, install malware, or disrupt services. The number of affected n8n instances is currently unknown, but given the popularity of the platform in various sectors, the potential impact is widespread. Organizations using vulnerable versions of n8n are at high risk of data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 2.14.1, 2.13.3, 1.123.27 or later to patch CVE-2026-33660.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, limit workflow creation and editing permissions to only fully trusted users as a short-term mitigation (reference Overview).\u003c/li\u003e\n\u003cli\u003eAs an alternative temporary workaround, disable the Merge node by adding \u003ccode\u003en8n-nodes-base.merge\u003c/code\u003e to the \u003ccode\u003eNODES_EXCLUDE\u003c/code\u003e environment variable (reference Overview).\u003c/li\u003e\n\u003cli\u003eMonitor n8n application logs for suspicious SQL queries or other anomalous activity originating from the Merge node (create custom detection logic based on observed AlaSQL activity).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-n8n-rce/","summary":"An authenticated user with workflow creation/modification permissions can exploit insufficient restrictions in the n8n Merge node's AlaSQL sandbox to achieve remote code execution by reading local files or executing commands on the n8n host.","title":"n8n Merge Node AlaSQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-n8n-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["n8n","code-injection","sql-injection","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Centre for Cybersecurity Belgium (CCB) has issued a warning regarding critical vulnerabilities affecting n8n, a workflow automation platform. These vulnerabilities, identified as CVE-2026-27495, CVE-2026-27577, and CVE-2026-27497, impact n8n versions prior to 2.10.1, 2.9.3, and 1.123.22. Exploitation of these vulnerabilities allows authenticated users with permissions to create or modify workflows to execute arbitrary code or system commands on the host. N8n\u0026rsquo;s role in automating system workflows and its integration with AI capabilities make vulnerable instances prime targets for attackers aiming to gain control over interconnected systems. Successful exploitation can lead to complete system compromise, unauthorized actions, and significant impact on confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to an n8n instance. This requires valid user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their permissions to create or modify workflows.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCVE-2026-27495:\u003c/strong\u003e The attacker crafts a malicious workflow that exploits a vulnerability in the JavaScript Task Runner sandbox to execute arbitrary code outside of the sandbox boundary, if the instance uses the internal Task Runner.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCVE-2026-27577:\u003c/strong\u003e The attacker crafts malicious expressions within workflow parameters to trigger unintended system command execution on the host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCVE-2026-27497:\u003c/strong\u003e The attacker uses the Merge node\u0026rsquo;s SQL query mode with a malicious SQL query to execute arbitrary code and write arbitrary files on the host.\u003c/li\u003e\n\u003cli\u003eThe injected code or commands execute with the privileges of the n8n process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the n8n instance, potentially compromising sensitive data and system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised n8n instance to target interconnected systems and automate malicious workflows, potentially leading to further compromise and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to full compromise of the n8n instance. This allows attackers to execute arbitrary code, potentially leading to data breaches, system downtime, and unauthorized access to interconnected systems. Given n8n\u0026rsquo;s role in automating workflows across various platforms and services, a successful attack can have far-reaching consequences for organizations relying on the platform. The vulnerabilities affect the confidentiality, integrity, and availability of the system and associated data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all n8n instances to versions 2.10.1, 2.9.3, or 1.123.22 or later to remediate CVE-2026-27495, CVE-2026-27577, and CVE-2026-27497 (Affected software).\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any suspicious activity related to n8n workflows and system command execution, as recommended by the CCB (Recommended Actions).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and regularly review user permissions to limit the ability of potentially compromised accounts to create or modify workflows (Description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-02-27T14:41:53Z","date_published":"2026-02-27T14:41:53Z","id":"/briefs/2026-02-n8n-vulns/","summary":"Multiple critical vulnerabilities in n8n versions prior to 2.10.1, 2.9.3, and 1.123.22 enable authenticated users to execute arbitrary code and system commands, potentially leading to full system compromise.","title":"Critical Vulnerabilities in n8n Workflow Automation Platform","url":"https://feed.craftedsignal.io/briefs/2026-02-n8n-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["high"],"_cs_tags":["credential-access","authorization-bypass","n8n"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eA credential authorization bypass vulnerability, identified as CVE-2026-42226, affects n8n versions prior to 2.18.0, specifically in the \u003ccode\u003edynamic-node-parameters\u003c/code\u003e endpoints. This flaw allows an authenticated user who has access to a shared workflow to exploit the system by supplying a credential ID belonging to another user in the request body. Due to insufficient validation, the n8n backend decrypts and utilizes the specified credential during a helper execution path where the caller controls the destination URL. This enables the malicious user to force the n8n instance to authenticate against attacker-controlled infrastructure using another user\u0026rsquo;s credentials, effectively exfiltrating a reusable API key. The vulnerability impacts any node that dynamically resolves credentials through the affected endpoints. The issue was patched in n8n version 2.18.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to an n8n instance.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains access to a shared workflow.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a credential ID belonging to another user within the n8n instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to a vulnerable \u003ccode\u003edynamic-node-parameters\u003c/code\u003e endpoint, injecting the foreign credential ID into the request body.\u003c/li\u003e\n\u003cli\u003eThe n8n backend, failing to validate the attacker\u0026rsquo;s authorization to use the specified credential, decrypts the targeted credential.\u003c/li\u003e\n\u003cli\u003eThe attacker controls the destination URL in the request, pointing it to attacker-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003eThe n8n backend authenticates against the attacker-controlled infrastructure using the decrypted credential, sending the API key to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the API key and uses it to access resources or data accessible to the compromised credential.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-42226) allows an attacker to exfiltrate API keys belonging to other n8n users. This can lead to unauthorized access to external services and data, depending on the permissions granted to the compromised credentials. The impact is significant, potentially affecting all n8n instances running vulnerable versions (prior to 2.18.0). The severity is rated as high due to the ease of exploitation and the potential for significant data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 2.18.0 or later to patch the vulnerability (CVE-2026-42226).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect n8n Foreign Credential ID in dynamic-node-parameters\u003c/code\u003e to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and limit workflow sharing to trusted users as a short-term mitigation, as suggested in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-n8n-credential-bypass/","summary":"A credential authorization bypass vulnerability in n8n versions before 2.18.0 allows an authenticated user with access to a shared workflow to supply a foreign credential ID, causing the backend to decrypt and use that credential against attacker-controlled infrastructure, leading to API key exfiltration.","title":"n8n Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay","url":"https://feed.craftedsignal.io/briefs/2024-01-03-n8n-credential-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","n8n"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003en8n, a workflow automation platform, is susceptible to a denial-of-service (DoS) vulnerability due to insufficient resource controls on the MCP OAuth client registration endpoint. This vulnerability, identified as CVE-2026-42236, allows an unauthenticated remote attacker to send large registration payloads to the server, potentially exhausting server memory resources. Even if the MCP is disabled via the enable/disable toggle, client registrations are still possible. The attack results in the n8n instance becoming unavailable, disrupting normal operations. The vulnerability affects n8n versions before 1.123.32, versions 2.0.0 to 2.17.4, and versions 2.18.0 to 2.18.1. Patches are available in n8n versions 1.123.32, 2.17.4, and 2.18.1 to address this issue by implementing an upper bound on registered clients and disabling client creation when MCP is disabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an n8n instance running a vulnerable version (e.g., \u0026lt; 1.123.32, 2.0.0 \u0026lt; x \u0026lt; 2.17.4, or 2.18.0 \u0026lt; x \u0026lt; 2.18.1).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated HTTP POST request to the MCP OAuth client registration endpoint. The exact URI path for this endpoint is not specified in the advisory, but it is related to MCP OAuth client registration.\u003c/li\u003e\n\u003cli\u003eThe POST request contains a large payload designed to consume significant server memory during processing.\u003c/li\u003e\n\u003cli\u003eThe n8n instance processes the registration request without proper resource limitations or input validation on the payload size.\u003c/li\u003e\n\u003cli\u003eThe server allocates memory to handle the large payload, potentially leading to memory exhaustion.\u003c/li\u003e\n\u003cli\u003eThe attacker sends multiple such requests in rapid succession, exacerbating the memory exhaustion issue.\u003c/li\u003e\n\u003cli\u003eThe n8n instance becomes unresponsive due to memory starvation, resulting in a denial of service.\u003c/li\u003e\n\u003cli\u003eLegitimate users are unable to access or use the n8n platform.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition, rendering the n8n instance unavailable to legitimate users. The advisory does not specify the number of victims or sectors targeted. However, any organization using a vulnerable version of n8n is at risk. If the attack succeeds, critical workflow automation processes managed by n8n will be interrupted, potentially leading to business disruptions and data loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 1.123.32, 2.17.4, or 2.18.1, or later to remediate the vulnerability as mentioned in the \u003cstrong\u003ePatches\u003c/strong\u003e section.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, restrict network access to the n8n instance to prevent requests from untrusted sources, as outlined in the \u003cstrong\u003eWorkarounds\u003c/strong\u003e section.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, reduce the maximum accepted payload size by lowering the \u003ccode\u003eN8N_PAYLOAD_SIZE_MAX\u003c/code\u003e environment variable as described in the \u003cstrong\u003eWorkarounds\u003c/strong\u003e section.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to the MCP OAuth client registration endpoint (path not specified in advisory) that may indicate exploitation attempts. Create detection rules for this activity on \u003cstrong\u003ewebserver\u003c/strong\u003e logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-n8n-dos/","summary":"n8n is vulnerable to an unauthenticated denial of service (DoS) attack due to missing resource controls in the MCP OAuth client registration endpoint, allowing an attacker to exhaust server memory by sending large registration payloads, leading to service unavailability; this is resolved in versions 1.123.32, 2.17.4, and 2.18.1 and tracked as CVE-2026-42236.","title":"n8n Unauthenticated Denial of Service via MCP Client Registration","url":"https://feed.craftedsignal.io/briefs/2024-01-n8n-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — N8n","version":"https://jsonfeed.org/version/1.1"}