{"id":4391,"date":"2026-02-05T05:37:42","date_gmt":"2026-02-05T05:37:42","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/02\/05\/two-critical-flaws-in-n8n-ai-workflow-automation-platform-allow-complete-takeover\/"},"modified":"2026-02-05T05:37:42","modified_gmt":"2026-02-05T05:37:42","slug":"two-critical-flaws-in-n8n-ai-workflow-automation-platform-allow-complete-takeover","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/02\/05\/two-critical-flaws-in-n8n-ai-workflow-automation-platform-allow-complete-takeover\/","title":{"rendered":"Two Critical Flaws in n8n AI Workflow Automation Platform Allow Complete Takeover"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Researchers at Pillar Security have found two maximum severity vulnerabilities (CVSS score of 10.0) in n8n, a popular open-source workflow automation platform powering hundreds of thousands of enterprise AI systems worldwide.<\/p>\n<p>The flaws are sandbox escape vulnerabilities which, when exploited, allow any authenticated user to achieve complete server control and steal any stored credential, including API keys, cloud provider keys, database passwords and OAuth tokens on both self-hosted and cloud n8n instances.<\/p>\n<p>The first flaw was reported by Pillar Security to n8n maintainers, who released a patch, but a second vulnerability bypassing the fix was discovered 24 hours after initial patch was deployed.<\/p>\n<p>N8n released a new patched version, version 2.4.0, with fixes for both vulnerabilities, in January 2026.<\/p>\n<p>While the Pillar Security advisory addressing both flaws has a GitHub vulnerability identifier, GHSA-6cqr-8cfr-67f8, the firm did not reveal the CVE identifier for either of the vulnerabilities.<\/p>\n<p>The Pillar Security researchers noted that companies using n8n for AI orchestration face credential exposure when using OpenAI, Anthropic, Azure OpenAI and Hugging Face as well as vector database access (e.g. Pinecone, Weaviate, Qdrant).<\/p>\n<h2><strong>Attack Scenarios Explained<\/strong><\/h2>\n<p>Attackers who successfully exploit either of these flaws can intercept AI prompts, modify AI responses, redirect traffic through attacker-controlled endpoints and exfiltrate sensitive data from AI interactions.<\/p>\n<p>Additionally, on n8n cloud, a single compromised user could potentially access shared infrastructure and other customers&#8217; data within the Kubernetes cluster.<\/p>\n<p>In a press release sent to <em>Infosecurity<\/em> on February 4, Eilon Cohen, an AI security researcher at Pillar Security, said what stands out in these vulnerabilities is \u201cthe combination of ease of exploitation and the high value targets they expose.&#8221;<\/p>\n<p>&#8220;If you can create a workflow in n8n, you can own the server. For attackers, this means access to OpenAI keys, Anthropic credentials, AWS accounts and the ability to intercept or modify AI interactions in real-time \u2013 all while the workflows continue functioning normally,\u201d he added.<\/p>\n<h2><strong>Mitigation Recommendations<\/strong><\/h2>\n<p>Pillar Security recommended implementing the following immediate actions to mitigate the threat posed by these vulnerabilities:<\/p>\n<ol>\n<li>Upgrade Immediately: Update to n8n version 2.4.0 or later<\/li>\n<li>Rotate encryption key: If running an affected version, rotate n8n encryption key<\/li>\n<li>Rotate all credentials: Assume stored credentials may have been compromised and rotate them<\/li>\n<li>Audit workflows: Review workflow execution logs for suspicious expressions or unexpected behavior<\/li>\n<li>Monitor AI workflows: Watch for unusual patterns like base URL changes, new outbound connections, or modified prompts<\/li>\n<\/ol>\n<p><em>Image credits:\u00a0Azulblue \/ Shutterstock<\/em><\/p>\n<p><em>Read now: Maximum Severity \u201cNi8mare\u201d Bug Lets Hackers Hijack n8n Servers<\/em><\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Researchers at Pillar Security have found two maximum severity vulnerabilities (CVSS score of 10.0) in n8n, a popular open-source workflow automation platform powering hundreds of thousands of enterprise AI systems worldwide. The flaws are sandbox escape vulnerabilities which, when exploited, allow any authenticated user to achieve complete server control and steal any stored credential, including<\/p>\n","protected":false},"author":2,"featured_media":4392,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4391","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4391-477fefec-0148-4e59-8440-d14757f991d0.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4391-477fefec-0148-4e59-8440-d14757f991d0-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4391-477fefec-0148-4e59-8440-d14757f991d0.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4391-477fefec-0148-4e59-8440-d14757f991d0.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4391-477fefec-0148-4e59-8440-d14757f991d0.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4391-477fefec-0148-4e59-8440-d14757f991d0.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4391-477fefec-0148-4e59-8440-d14757f991d0.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4391-477fefec-0148-4e59-8440-d14757f991d0.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4391-477fefec-0148-4e59-8440-d14757f991d0.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4391-477fefec-0148-4e59-8440-d14757f991d0.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4391-477fefec-0148-4e59-8440-d14757f991d0-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4391"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4391\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4392"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}