Description
n8n is an open source workflow automation platform. Prior to versions 1.123.18 and 2.5.0, a vulnerability in the file access controls allows authenticated users with permission to create or modify workflows to read sensitive files from the n8n host system. This can be exploited to obtain critical configuration data and user credentials, leading to complete account takeover of any user on the instance. This issue has been patched in versions 1.123.18 and 2.5.0.
EPSS Score:
0%
EUVD-2026-5419: Comprehensive Technical Analysis
n8n Workflow Automation Platform - File Access Control Vulnerability
1. VULNERABILITY ASSESSMENT AND SEVERITY EVALUATION
Severity Classification
CVSS 4.0 Base Score: 9.4 (CRITICAL)
This vulnerability represents a critical security flaw in the n8n workflow automation platform with the following characteristics:
CVSS 4.0 Vector Analysis
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Attack Vector Breakdown:
- Attack Vector (AV:N): Network-exploitable, requiring no physical or local access
- Attack Complexity (AC:L): Low complexity - no specialized conditions required
- Attack Requirements (AT:N): No additional attack requirements
- Privileges Required (PR:L): Low privileges - only authenticated user access needed
- User Interaction (UI:N): No user interaction required for exploitation
- Vulnerable System Impact: High across all CIA triad components (Confidentiality, Integrity, Availability)
- Subsequent System Impact: High across all components, indicating lateral movement potential
Risk Assessment
The 9.4 CVSS score places this vulnerability in the CRITICAL category, justified by:
- Complete System Compromise: Ability to read sensitive files enables full account takeover
- Privilege Escalation Path: Low-privileged users can access administrative credentials
- Lateral Movement Capability: Subsequent system impacts rated HIGH indicate potential for broader infrastructure compromise
- Minimal Attack Barriers: Low complexity and no user interaction required
- Multi-tenant Risk: In shared hosting environments, cross-tenant data exposure is possible
2. POTENTIAL ATTACK VECTORS AND EXPLOITATION METHODS
Primary Attack Vector: Workflow-Based File Access Bypass
Attack Chain:
[Authenticated User] → [Create/Modify Workflow] → [Exploit File Access Controls]
→ [Read Sensitive Files] → [Extract Credentials] → [Account Takeover]
Exploitation Methodology
Phase 1: Initial Access
- Attacker obtains legitimate low-privileged credentials (workflow creator/editor role)
- Access can be obtained through:
- Compromised employee accounts
- Insider threats
- Social engineering
- Credential stuffing attacks
Phase 2: Vulnerability Exploitation
The vulnerability likely exists in one or more of these areas:
-
Path Traversal in Workflow Nodes
- File read operations in workflow nodes may lack proper path sanitization
- Attackers can use
../sequences to escape intended directories - Example payload:
../../../../etc/passwdor../../../../app/config/.env
-
Insufficient Access Control Validation
- Workflow execution context may inherit excessive file system permissions
- Missing checks on file paths before read operations
- Inadequate sandboxing of workflow execution environment
-
Configuration File Exposure
- Target files likely include:
.envfiles containing database credentialsconfig.jsonor similar configuration files- JWT signing keys
- API tokens and secrets
- Database connection strings
- OAuth client secrets
- Target files likely include:
Phase 3: Credential Extraction
Attackers target specific files:
/app/.env
/app/config/database.json
/root/.n8n/config
/home/n8n/.n8n/config
/var/lib/n8n/credentials
Phase 4: Account Takeover
With extracted credentials, attackers can:
- Access database directly to dump user credentials
- Forge authentication tokens using signing keys
- Impersonate administrative users
- Modify existing workflows to establish persistence
- Exfiltrate sensitive workflow data containing business logic and credentials
Secondary Attack Vectors
Multi-Stage Attacks:
- Horizontal Privilege Escalation: Access credentials of peer users
- Vertical Privilege Escalation: Obtain administrative credentials
- Infrastructure Compromise: Extract cloud provider credentials, database passwords
- Supply Chain Attacks: Modify workflows to inject malicious code into automated processes
3. AFFECTED SYSTEMS AND SOFTWARE VERSIONS
Vulnerable Versions
Vendor: n8n-io
Product: n8n Workflow Automation Platform
Affected Version Ranges:
- Branch 1.x: All versions < 1.123.18
- Branch 2.x: All versions < 2.5.0
Deployment Scenarios at Risk
-
Self-Hosted Installations
- Docker deployments
- Kubernetes clusters
- VM-based installations
- Bare-metal servers
-
Cloud Deployments
- AWS, Azure, GCP hosted instances
- Platform-as-a-Service deployments
- Container orchestration platforms
-
Enterprise Environments
- Multi-tenant installations (highest risk)
- Integrated with corporate identity providers
- Connected to production databases and APIs
Environmental Factors Increasing Risk
- Multi-user environments: Higher likelihood of compromised low-privileged accounts
- Internet-facing instances: Increased attack surface
- Integration with sensitive systems: Greater impact from credential exposure
- Shared hosting: Cross-tenant contamination risk
- Legacy authentication: Environments without MFA or strong authentication
4. RECOMMENDED MITIGATION STRATEGIES
Immediate Actions (Priority 1 - Within 24-48 Hours)
A. Patch Application
CRITICAL: Apply security updates immediately
# For Docker deployments
docker pull n8nio/n8n:1.123.18 # For 1.x branch
docker pull n8nio/n8n:2.5.0 # For 2.x branch
# Restart containers with updated image
docker-compose down
docker-compose up -d
# For npm installations
npm update n8n@1.123.18 # or @2.5.0
B. Emergency Access Review
- Audit all user accounts with workflow creation/modification permissions
- Review workflow history for suspicious file access patterns
- Check system logs for unusual file read operations
- Examine authentication logs for anomalous login patterns post-exploitation window
C. Credential Rotation
Assume compromise and rotate all sensitive credentials:
- Database passwords
- API keys and tokens
- JWT signing secrets
- OAuth client secrets
- Service account credentials
- Integration passwords
Short-Term Mitigations (Priority 2 - Within 1 Week)
A. Access Control Hardening
# Implement principle of least privilege
- Restrict workflow creation to trusted users only
- Implement approval workflows for new workflow deployment
- Enable audit logging for all workflow modifications
- Implement role-based access control (RBAC) strictly
B. Network Segmentation
- Place n8n instances behind VPN or zero-trust network access
- Implement IP whitelisting for administrative access
- Segment n8n infrastructure from production databases where possible
- Deploy Web Application Firewall (WAF) with file access monitoring
C. Monitoring and Detection
Deploy detection rules for:
- Workflow creation/modification by low-privileged users
- File read operations outside expected directories
- Multiple failed authentication attempts following workflow changes
- Unusual data exfiltration patterns
- Access to configuration files from workflow context
Long-Term Strategic Mitigations (Priority 3 - Ongoing)
A. Security Architecture Review
- Implement workflow sandboxing: Containerize workflow execution with minimal file system access
- Deploy secrets management: Use HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault
- Implement file access monitoring: Deploy HIDS/FIM solutions
- Enable comprehensive audit logging: Centralize logs in SIEM
B. Security Hardening
# File system permissions
chmod 600 /app/.env
chown root:root /app/config/*
# Run n8n with minimal privileges
# Use dedicated service account with restricted file access
useradd -r -s /bin/false n8n-service
# Implement AppArmor/SELinux policies
# Restrict file system access for n
References
Affected Products
n8n
Version: < 2.5.0
n8n
Version: < 1.123.18
Vendors
n8n-io