{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/n8n/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n-mcp (\u003e= 2.47.4, \u003c 2.47.14)"],"_cs_severities":["high"],"_cs_tags":["ssrf","cwe-918","n8n-mcp"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eThe n8n-mcp library, when embedded as an SDK, contains a server-side request forgery (SSRF) vulnerability. The vulnerability lies in the \u003ccode\u003eSSRFProtection.validateUrlSync()\u003c/code\u003e function, specifically within the \u003ccode\u003eN8NDocumentationMCPServer\u003c/code\u003e constructor, \u003ccode\u003egetN8nApiClient()\u003c/code\u003e, and \u003ccode\u003evalidateInstanceContext()\u003c/code\u003e methods. This synchronous validator lacks IPv6 checks, allowing IPv4-mapped IPv6 addresses (e.g., \u003ccode\u003ehttp://[::ffff:169.254.169.254]\u003c/code\u003e) to bypass existing protections against cloud metadata, localhost, and private IP ranges. An attacker who can control the \u003ccode\u003en8nApiUrl\u003c/code\u003e parameter can exploit this flaw to force the server to make HTTP requests to internal or external services. This issue affects deployments embedding n8n-mcp as an SDK using \u003ccode\u003eN8NDocumentationMCPServer\u003c/code\u003e or \u003ccode\u003eN8NMCPEngine\u003c/code\u003e with user-supplied \u003ccode\u003eInstanceContext\u003c/code\u003e on versions v2.47.4 through v2.47.13. Version v2.47.14 and later contain the patch for this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable n8n-mcp deployment embedding the SDK and using a user-supplied \u003ccode\u003eInstanceContext\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003en8nApiUrl\u003c/code\u003e containing an IPv4-mapped IPv6 address, such as \u003ccode\u003ehttp://[::ffff:169.254.169.254]\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker supplies the crafted \u003ccode\u003en8nApiUrl\u003c/code\u003e to the vulnerable \u003ccode\u003eN8NDocumentationMCPServer\u003c/code\u003e constructor or \u003ccode\u003egetN8nApiClient()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidateInstanceContext()\u003c/code\u003e function calls \u003ccode\u003eSSRFProtection.validateUrlSync()\u003c/code\u003e to validate the URL.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidateUrlSync()\u003c/code\u003e function fails to properly validate the IPv4-mapped IPv6 address.\u003c/li\u003e\n\u003cli\u003eThe server issues an HTTP request to the attacker-specified target using the bypassed URL.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ex-n8n-api-key\u003c/code\u003e header is forwarded to the attacker-controlled target.\u003c/li\u003e\n\u003cli\u003eThe response body from the target is returned to the attacker, allowing the attacker to gather sensitive information from internal services or cloud metadata endpoints.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows an attacker to perform unauthorized actions, such as accessing sensitive information from cloud metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), RFC1918 private networks, or localhost services. The attacker can also gain access to the \u003ccode\u003en8nApiKey\u003c/code\u003e, which is forwarded in the \u003ccode\u003ex-n8n-api-key\u003c/code\u003e header, potentially leading to further compromise of the n8n instance. This vulnerability impacts deployments embedding n8n-mcp as an SDK between versions v2.47.4 and v2.47.13.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n-mcp to version v2.47.14 or later to patch the vulnerability as described in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement a network-level block on outbound traffic from the n8n-mcp process to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local \u003ccode\u003e169.254.0.0/16\u003c/code\u003e, and cloud metadata endpoints as a defense-in-depth measure.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect N8N MCP SSRF Attempt via IPv6 Bypass\u003c/code\u003e to identify exploitation attempts by detecting outbound connections to internal IPs using IPv6 mapped IPv4 address.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T18:12:54Z","date_published":"2026-04-30T18:12:54Z","id":"/briefs/2026-04-n8n-mcp-ssrf/","summary":"The n8n-mcp SDK embedder path is vulnerable to server-side request forgery (SSRF) due to the synchronous URL validator in `SSRFProtection.validateUrlSync()` not checking for IPv6 addresses, allowing attackers to access cloud metadata endpoints, RFC1918 private networks, or localhost services by supplying a crafted `n8nApiUrl`.","title":"n8n-mcp SDK Embedder SSRF Vulnerability via IPv6 Bypass","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-mcp-ssrf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["high"],"_cs_tags":["sandbox-escape","code-execution","vulnerability"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eA sandbox escape vulnerability has been identified in the Python Task Runner of n8n, a workflow automation platform. This vulnerability, assigned CVE-2026-42234, allows an authenticated user who has permissions to create or modify workflows that contain a Python Code Node to escape the sandbox environment. Successful exploitation leads to arbitrary code execution within the task runner container. This issue specifically impacts n8n instances where the Python Task Runner is enabled. The vulnerability affects n8n versions prior to 1.123.32, versions between 2.17.0 and 2.17.4, and versions between 2.18.0 and 2.18.1. Defenders should prioritize patching their n8n instances or implementing available workarounds.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to an n8n instance.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the Python Task Runner is enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies an n8n workflow.\u003c/li\u003e\n\u003cli\u003eThe workflow includes a Python Code Node.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious Python code designed to escape the sandbox. This code could leverage vulnerabilities in the sandbox implementation to execute commands outside of the intended restricted environment.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the workflow execution.\u003c/li\u003e\n\u003cli\u003eThe malicious Python code executes, successfully escaping the sandbox.\u003c/li\u003e\n\u003cli\u003eArbitrary code is executed on the task runner container, potentially leading to compromise of the n8n instance or the underlying infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code within the n8n task runner container. This can lead to a full compromise of the n8n instance, allowing the attacker to steal sensitive data, disrupt services, or pivot to other systems within the network. While the exact number of affected instances is unknown, any n8n deployment with the Python Task Runner enabled and vulnerable versions are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to versions 1.123.32, 2.17.4, 2.18.1 or later to remediate the vulnerability as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, limit workflow creation and editing permissions to fully trusted users only, as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eAs a temporary measure, disable the Python Code node by adding \u003ccode\u003en8n-nodes-base.code\u003c/code\u003e to the \u003ccode\u003eNODES_EXCLUDE\u003c/code\u003e environment variable, or disable the Python Task Runner entirely as documented in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor container execution for unexpected processes spawned from the n8n task runner container using the \u0026ldquo;Detect Suspicious Process Execution from n8n Task Runner\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:21:50Z","date_published":"2026-04-29T21:21:50Z","id":"/briefs/2026-04-n8n-python-sandbox-escape/","summary":"A sandbox escape vulnerability exists in n8n's Python Task Runner that allows an authenticated user with workflow creation/modification permissions to achieve arbitrary code execution on the task runner container, impacting n8n instances with the Python Task Runner enabled; upgrade to versions 1.123.32, 2.17.4, 2.18.1 or later to remediate the vulnerability.","title":"n8n Python Task Runner Sandbox Escape Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-python-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-39974"}],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["critical"],"_cs_tags":["n8n","vulnerability","sqli","xss","rce","session-hijacking"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in n8n, a workflow automation tool. An attacker exploiting these vulnerabilities could achieve a range of malicious outcomes, including remote code execution, security bypass, information disclosure, SQL injection, denial-of-service, cross-site scripting (XSS), malicious redirection, and session hijacking. The vulnerabilities stem from insufficient input validation, insecure configurations, or design flaws within the n8n application. Successful exploitation can lead to complete compromise of the n8n instance and potentially the underlying system, depending on the permissions of the n8n process. This poses a significant risk to organizations relying on n8n for critical business processes. Defenders need to implement robust security measures to mitigate these risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the broad range of potential vulnerabilities, a generalized attack chain is outlined below:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies a vulnerable n8n instance, potentially through Shodan or similar tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification:\u003c/strong\u003e The attacker probes the n8n instance to identify specific exploitable vulnerabilities, such as those related to SQL injection or XSS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation (SQL Injection):\u003c/strong\u003e The attacker crafts malicious SQL queries through user input fields or API calls to extract sensitive data from the n8n database, such as user credentials or API keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation (XSS):\u003c/strong\u003e The attacker injects malicious JavaScript code into n8n workflows or data fields. When other users interact with the affected workflows or data, the JavaScript code executes in their browsers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement:\u003c/strong\u003e The attacker leverages the compromised credentials or XSS vulnerabilities to gain elevated privileges within the n8n instance or move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution:\u003c/strong\u003e The attacker exploits a vulnerability that allows for the execution of arbitrary code on the server. This could be achieved through insecure file uploads, deserialization flaws, or command injection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by creating new n8n workflows or modifying existing ones to execute malicious code on a recurring basis.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker exfiltrates sensitive data, disrupts critical business processes by manipulating or deleting workflows, or uses the compromised system as a foothold for further attacks within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could result in significant damage, depending on the attacker\u0026rsquo;s objectives. The potential impact includes data breaches, financial losses, service disruptions, and reputational damage. If sensitive data is exfiltrated, it could be used for identity theft, fraud, or other malicious purposes. Disruption of critical workflows can lead to business downtime and lost productivity. The lack of specific victim counts or sector targeting in the source data makes it difficult to quantify the impact precisely, but the broad range of potential vulnerabilities and their potential consequences warrant immediate attention.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rules to detect potential exploitation attempts targeting n8n instances (see \u0026ldquo;Descriptive Detection Rule Name\u0026rdquo; in the \u003ccode\u003erules\u003c/code\u003e section).\u003c/li\u003e\n\u003cli\u003eConduct regular security audits and penetration testing of n8n instances to identify and remediate vulnerabilities before they can be exploited.\u003c/li\u003e\n\u003cli\u003eEnforce strict input validation and sanitization measures to prevent SQL injection and XSS attacks.\u003c/li\u003e\n\u003cli\u003eApply the principle of least privilege to limit the permissions of the n8n process and users.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity related to n8n instances, such as unusual API calls or connections to malicious domains.\u003c/li\u003e\n\u003cli\u003eRegularly review and update n8n workflows to ensure they are secure and do not contain any malicious code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T10:23:56Z","date_published":"2026-04-23T10:23:56Z","id":"/briefs/2026-04-n8n-multiple-vulnerabilities/","summary":"Multiple vulnerabilities in n8n can be exploited by an attacker to execute arbitrary code, bypass security measures, disclose sensitive information, conduct SQL injection attacks, cause denial-of-service, perform cross-site scripting, redirect users, or hijack sessions.","title":"Multiple Vulnerabilities in n8n Workflow Automation Tool","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-multiple-vulnerabilities/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["high"],"_cs_tags":["credential-access","authorization-bypass","n8n"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eA credential authorization bypass vulnerability, identified as CVE-2026-42226, affects n8n versions prior to 2.18.0, specifically in the \u003ccode\u003edynamic-node-parameters\u003c/code\u003e endpoints. This flaw allows an authenticated user who has access to a shared workflow to exploit the system by supplying a credential ID belonging to another user in the request body. Due to insufficient validation, the n8n backend decrypts and utilizes the specified credential during a helper execution path where the caller controls the destination URL. This enables the malicious user to force the n8n instance to authenticate against attacker-controlled infrastructure using another user\u0026rsquo;s credentials, effectively exfiltrating a reusable API key. The vulnerability impacts any node that dynamically resolves credentials through the affected endpoints. The issue was patched in n8n version 2.18.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to an n8n instance.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains access to a shared workflow.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a credential ID belonging to another user within the n8n instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to a vulnerable \u003ccode\u003edynamic-node-parameters\u003c/code\u003e endpoint, injecting the foreign credential ID into the request body.\u003c/li\u003e\n\u003cli\u003eThe n8n backend, failing to validate the attacker\u0026rsquo;s authorization to use the specified credential, decrypts the targeted credential.\u003c/li\u003e\n\u003cli\u003eThe attacker controls the destination URL in the request, pointing it to attacker-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003eThe n8n backend authenticates against the attacker-controlled infrastructure using the decrypted credential, sending the API key to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the API key and uses it to access resources or data accessible to the compromised credential.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-42226) allows an attacker to exfiltrate API keys belonging to other n8n users. This can lead to unauthorized access to external services and data, depending on the permissions granted to the compromised credentials. The impact is significant, potentially affecting all n8n instances running vulnerable versions (prior to 2.18.0). The severity is rated as high due to the ease of exploitation and the potential for significant data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 2.18.0 or later to patch the vulnerability (CVE-2026-42226).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect n8n Foreign Credential ID in dynamic-node-parameters\u003c/code\u003e to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and limit workflow sharing to trusted users as a short-term mitigation, as suggested in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-n8n-credential-bypass/","summary":"A credential authorization bypass vulnerability in n8n versions before 2.18.0 allows an authenticated user with access to a shared workflow to supply a foreign credential ID, causing the backend to decrypt and use that credential against attacker-controlled infrastructure, leading to API key exfiltration.","title":"n8n Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay","url":"https://feed.craftedsignal.io/briefs/2024-01-03-n8n-credential-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — N8n","version":"https://jsonfeed.org/version/1.1"}