Description
n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server's filesystem potentially leading to remote code execution. This issue has been patched in versions 1.118.0 and 2.4.0.
EPSS Score:
0%
EUVD-2026-5415: Critical Vulnerability Analysis
n8n Workflow Automation Platform - Arbitrary File Write Leading to RCE
1. VULNERABILITY ASSESSMENT AND SEVERITY EVALUATION
Severity Classification
CVSS 4.0 Base Score: 9.4 (CRITICAL)
This vulnerability represents a critical security risk with the following characteristics:
CVSS 4.0 Vector Breakdown:
- Attack Vector (AV:N): Network-based exploitation
- Attack Complexity (AC:L): Low complexity - straightforward exploitation
- Attack Requirements (AT:N): No special conditions required
- Privileges Required (PR:L): Low-level authentication needed
- User Interaction (UI:N): No user interaction required
- Impact Metrics: All set to HIGH (Confidentiality, Integrity, Availability across Vulnerable and Subsequent systems)
Risk Assessment
The vulnerability achieves maximum impact across all CIA triad components for both the vulnerable system and subsequent systems, indicating:
- Complete system compromise potential
- Lateral movement capabilities
- Supply chain attack implications (workflow automation affecting downstream systems)
- Data exfiltration and manipulation risks
2. POTENTIAL ATTACK VECTORS AND EXPLOITATION METHODS
Attack Surface Analysis
Primary Attack Vector: The vulnerability exists within the Merge node's SQL Query mode, a component designed for data manipulation within automated workflows.
Exploitation Methodology
Step 1: Initial Access
- Attacker requires authenticated access with workflow creation/modification permissions
- This represents a relatively low barrier as many organizations grant these permissions to developers, automation engineers, and power users
Step 2: Exploitation Mechanism
Workflow Creation → Merge Node (SQL Query Mode) →
Malicious SQL Query with File Write Operations →
Arbitrary File System Access
Step 3: Privilege Escalation Path
- Arbitrary File Write: Attacker crafts malicious SQL queries to write files to arbitrary locations
- Strategic File Placement:
- Overwrite configuration files
- Deploy web shells in web-accessible directories
- Modify startup scripts or cron jobs
- Plant SSH authorized_keys
- Remote Code Execution: Execute planted payloads to achieve full system control
Exploitation Scenarios
Scenario A: Web Shell Deployment
-- Hypothetical exploitation pattern
SELECT '<?php system($_GET["cmd"]); ?>'
INTO OUTFILE '/var/www/html/shell.php'
Scenario B: SSH Key Injection
-- Writing SSH public key for persistent access
SELECT 'ssh-rsa AAAA[...]'
INTO OUTFILE '/home/n8n/.ssh/authorized_keys'
Scenario C: Configuration Tampering
- Modify n8n configuration files to disable security features
- Inject malicious environment variables
- Alter database connection strings for data exfiltration
Attack Complexity Considerations
- Low technical barrier: Standard SQL injection techniques adapted for file operations
- No user interaction required: Automated exploitation possible
- Network accessible: Remote exploitation from any network location
- Authenticated but low privilege: Insider threat or compromised low-privilege account sufficient
3. AFFECTED SYSTEMS AND SOFTWARE VERSIONS
Vulnerable Versions
Product: n8n (Workflow Automation Platform)
Vendor: n8n-io
Affected Version Ranges:
- n8n < 1.118.0 (Legacy/LTS branch)
- n8n < 2.4.0 (Current major version)
Deployment Contexts at Risk
Infrastructure Types:
- Self-hosted installations: On-premises servers, VMs, containers
- Cloud deployments: AWS, Azure, GCP instances
- Container orchestration: Kubernetes, Docker Swarm deployments
- Hybrid environments: Mixed cloud and on-premises setups
Organizational Impact:
- Enterprise automation platforms: Organizations using n8n for business process automation
- DevOps pipelines: CI/CD integration workflows
- Data integration systems: ETL and data synchronization processes
- API orchestration: Microservices coordination and API management
European Sector Exposure
Given n8n's popularity in European markets:
- Financial services: Payment processing automation
- Healthcare: Patient data workflow management
- Manufacturing: Industry 4.0 automation systems
- Public sector: Government digital services
- SMEs: Small-medium enterprises with limited security resources
4. RECOMMENDED MITIGATION STRATEGIES
Immediate Actions (Priority 1 - Within 24-48 Hours)
A. Patch Management
# Upgrade to patched versions immediately
# For version 1.x users:
npm update n8n@1.118.0
# For version 2.x users:
npm update n8n@2.4.0
# Docker users:
docker pull n8nio/n8n:1.118.0
# or
docker pull n8nio/n8n:2.4.0
B. Emergency Workarounds (If immediate patching impossible)
-
Disable SQL Query Mode in Merge Node
- Implement application-level restrictions
- Remove or restrict access to affected functionality
-
Workflow Permission Audit
- Review all users with workflow creation/modification rights - Implement principle of least privilege - Temporarily revoke unnecessary permissions -
Network Segmentation
- Isolate n8n instances from critical infrastructure
- Implement strict firewall rules
- Deploy Web Application Firewall (WAF) with SQL injection rules
Short-term Measures (Priority 2 - Within 1 Week)
C. Security Hardening
-
File System Protections
# Implement AppArmor/SELinux policies # Restrict n8n process file write permissions # Example AppArmor profile snippet: /var/www/** rw, # Deny /home/*/.ssh/** rw, # Deny /etc/** rw, # Deny -
Database Security
- Revoke FILE privilege from n8n database user
REVOKE FILE ON *.* FROM 'n8n_user'@'localhost'; FLUSH PRIVILEGES; -
Monitoring and Detection
- Enable file integrity monitoring (FIM) on critical directories
- Implement SIEM rules for suspicious file creation patterns
- Monitor SQL query logs for OUTFILE/DUMPFILE operations
Detection Signatures:
- File writes to web directories by n8n process - SQL queries containing INTO OUTFILE/DUMPFILE - Unexpected file modifications in system directories - New SSH keys in authorized_keys files
Long-term Strategic Measures (Priority 3 - Ongoing)
D. Governance and Compliance
-
Access Control Framework
- Implement Role-Based Access Control (RBAC)
- Multi-factor authentication (MFA) for all workflow editors
- Regular access reviews and recertification
-
Security Development Lifecycle
- Code review requirements for workflow changes
- Automated security scanning of workflows
- Sandbox environments for workflow testing
-
Incident Response Preparation
- Develop n8n-specific incident response playbooks
- Conduct tabletop exercises
- Establish communication channels with n8n-io security team
E. Compensating Controls
-
Container Security (for containerized deployments)
# Docker security constraints security_opt: - no-new-privileges:true read_only: true tmpfs: - /tmp cap_drop: - ALL cap_add: - NET_BIND_SERVICE -
Runtime Application Self-Protection (RASP)
- Deploy RASP solutions to detect and block exploitation attempts
- Implement behavioral analysis for anomaly detection
5. IMPACT ON EUROPEAN CYBERSECURITY LANDSCAPE
Regulatory Implications
A. GDPR Compliance Risks