Critical RCE Vulnerability in n8n Workflow Automation Platform Exposes Servers to Attack A severe security flaw in n8n, a popular open-source workflow automation tool, has been identified as CVE-2026-33660, enabling Remote Code Execution (RCE) attacks on host servers. The vulnerability, rated critical under both CVSS 3.1 and 4.0, allows authenticated threat actors to bypass security controls, access sensitive data, and fully compromise the underlying system. The issue stems from the "Merge" node in n8n workflows when "Combine by SQL" mode is enabled. The platform uses an AlaSQL sandbox to execute SQL operations, but researchers found that the sandbox fails to properly restrict certain SQL statements. Due to improper input validation (CWE-94: Code Injection), attackers can inject malicious instructions, leading to sandbox escape and local file read access on the host. Exploitation requires only low-level privileges, such as the ability to create or modify workflows, with no user interaction needed. Once compromised, attackers can escalate the attack to execute arbitrary code, gaining full administrative control over the server. The vulnerability poses a high risk to enterprise automation environments, as it threatens confidentiality, integrity, and availability of affected systems. The n8n development team has released patches to address the flaw. Organizations are advised to update their instances immediately to mitigate risk. For those unable to patch immediately, temporary workarounds include: - Restricting workflow creation/modification permissions to trusted personnel. - Disabling the vulnerable component by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. However, n8n emphasizes that only the official patches provide permanent remediation. The vulnerability underscores the importance of timely updates in securing automation platforms against evolving threats.

Zerobot Botnet Exploits Tenda and n8n Vulnerabilities in Ongoing Campaign Akamai’s Security Incident Response Team (SIRT) has uncovered an active botnet campaign, Zerobot, leveraging recently disclosed vulnerabilities in Tenda AC1206 routers and the n8n workflow automation platform. First detected in mid-January 2026, the malware linked to the Mirai botnet family targets two critical flaws: CVE-2025-7544 and CVE-2025-68613. ### Exploited Vulnerabilities 1. CVE-2025-7544 (Tenda AC1206 – CVSS 8.8) - A remote stack-based buffer overflow in the `/goform/setMacFilterCfg` endpoint, caused by improper input handling in the `deviceList` parameter. - Allows unauthenticated attackers to execute arbitrary code, enabling denial-of-service (DoS) attacks or full device compromise. - A proof-of-concept (PoC) exploit was publicly released, simplifying attacks via crafted requests. 2. CVE-2025-68613 (n8n – CVSS 9.9) - A remote code execution (RCE) flaw in n8n’s workflow automation platform, stemming from insecure expression evaluations. - Unauthenticated attackers can execute arbitrary code, access environment variables, API keys, and configuration files, and move laterally within networks. - Affects versions 0.211.0 to 1.120.3, 1.121.0, and early 1.122.x. ### Attack Chain & Impact Zerobot exploits these vulnerabilities to deploy Mirai-based payloads. In observed attacks, threat actors: - Triggered a buffer overflow on vulnerable Tenda routers to execute a malicious shell script, tol.sh. - Downloaded the primary Zerobot payload, which employs evasion tactics including hosting on Vercel domains and obfuscating scripts. - Established command-and-control (C2) communication to deploy a multi-stage infostealer, targeting browser credentials, SSH keys, and Git repositories. Akamai’s global honeypot network detected active exploitation, with compromised systems used to propagate further attacks. The campaign underscores the growing sophistication of botnets in weaponizing recently disclosed CVEs, particularly in IoT devices and critical infrastructure tools like n8n. Organizations using affected Tenda or n8n versions remain at risk until patches are applied.

Stored XSS Vulnerability in n8n Automation Platform Exposes Credentials to Attackers Researchers at Imperva have identified a stored cross-site scripting (XSS) vulnerability in n8n, a popular workflow automation platform, stemming from a misconfiguration in OAuth credential handling. The flaw, patched in n8n v2.6.4 released on February 6, could allow attackers to inject malicious JavaScript payloads into the platform’s database, compromising credentials and potentially gaining control of connected systems. ### How the Vulnerability Works n8n enables organizations to automate workflows by integrating with services like Google Workspace, Microsoft 365, Slack, and GitHub via OAuth tokens or API keys. However, the platform failed to properly sanitize authorization URLs, allowing attackers to replace legitimate URLs with malicious scripts. Once stored, these payloads execute when other users interact with the compromised credentials, leading to credential exfiltration and potential system-wide compromise. ### Attack Requirements & Impact Exploiting this flaw requires initial access to the victim’s n8n system, making it a second-stage attack rather than an entry point. However, if successful, an attacker could: - Steal OAuth tokens and API keys across multiple services. - Escalate access to connected applications, including CRMs, databases, and messaging tools. - Compromise entire automation workflows, amplifying the breach’s impact. Imperva warns that automation platforms like n8n centralize risk by aggregating access to critical systems. A single vulnerability in such a platform can be more damaging than a flaw in an isolated application, as it provides a gateway to multiple services. ### Previous Incidents & Growing Threat n8n has faced security challenges before, including a separate OAuth-related vulnerability patched in January alongside four other CVEs. The platform’s rising popularity has also attracted threat actors, with reports of malicious integrations posing as legitimate n8n tools. Organizations using n8n are advised to treat automation platforms as Tier-0 assets, enforcing strict access controls and ensuring timely patching to mitigate risks. The latest fix (v2.6.4) addresses the stored XSS flaw, but users must apply updates to prevent exploitation.

Critical RCE Vulnerability in n8n Workflow Automation Platform Disclosed (CVE-2026-25049) A newly disclosed critical vulnerability, CVE-2026-25049, in the n8n workflow automation platform enables authenticated users to execute arbitrary system commands on the underlying server. With a CVSS score of 9.4, the flaw stems from insufficient input sanitization in n8n’s expression evaluation mechanism, allowing attackers to bypass security controls and achieve remote code execution (RCE). The vulnerability was identified as a bypass of CVE-2025-68613, a prior critical flaw (CVSS 9.9) patched in December 2025. Despite earlier fixes, researchers discovered additional exploitation paths in n8n’s expression handling logic. According to n8n’s advisory, an authenticated user with workflow modification permissions could craft malicious expressions to escape the platform’s sandbox and execute commands on the host system. Affected Versions & Mitigation The flaw impacts all n8n versions prior to 1.123.17 and 2.5.2. Patches have been released in these versions, and users are urged to upgrade immediately. For organizations unable to update, temporary workarounds include restricting workflow permissions to trusted users and deploying n8n in a hardened environment with limited OS privileges. However, n8n maintains that these measures are not a complete fix and should only be used short-term. Technical Details & Impact Under CVSS 3.1, the vulnerability is rated AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating low attack complexity, network-based exploitation, and high impact on confidentiality, integrity, and availability. A successful exploit could allow attackers to compromise servers, steal credentials, exfiltrate data, or install backdoors for persistent access. The discovery involved contributions from ten security researchers, including Fatih Çelik (who also reported CVE-2025-68613) and experts from Endor Labs, Pillar Security, and SecureLayer7. Çelik noted that the two CVEs could be considered the same issue, as CVE-2026-25049 merely bypasses the initial patch. The advisory was published under GitHub Security Advisory GHSA-6cqr-8cfr-67f8, affecting the n8n npm package. No active exploitation has been reported, but the severity underscores the urgency of applying patches.

Critical n8n Vulnerability Exposes Tens of Thousands of Systems to Attack Security researchers have identified a severe vulnerability in n8n, a popular open-source workflow automation platform, which could allow attackers to bypass automation controls and gain access to sensitive credentials. Tracked as CVE-2026-21858, the flaw has a maximum severity score of 10 and stems from a "content-type confusion" bug in the platform’s standards modes. The vulnerability poses significant risks, as compromising an n8n environment could expose credentials for high-value services, including Salesforce, AWS, and OpenAI. Given n8n’s role in AI-driven automation and enterprise workflows, the impact of exploitation could be widespread. Initial scans by Shadowserver detected over 105,000 vulnerable instances out of approximately 230,000 deployments, though the number has since dropped to around 59,500. Separately, Censys reported more than 26,000 exposed hosts. Researchers at Cyera first disclosed the vulnerability to n8n in November, and patches were released to users on November 18. The recommended fix is upgrading to version 1.121.0 or later. As of now, there is no evidence of active exploitation.

Malicious npm Packages Target n8n Workflow Automation to Steal OAuth Credentials Threat actors recently uploaded eight malicious npm packages designed to impersonate integrations for the n8n workflow automation platform, aiming to steal developers' OAuth credentials. The campaign, uncovered by Endor Labs, represents a new escalation in supply chain attacks by exploiting workflow automation tools that centralize sensitive credentials including Google Ads, Stripe, and Salesforce tokens in a single location. One package, "n8n-nodes-hfgjf-irtuinvcm-lasdqewriit", mimicked a Google Ads integration, tricking users into linking their accounts via a seemingly legitimate form before exfiltrating credentials to attacker-controlled servers. The malicious packages, now removed, collectively amassed over 27,000 downloads under multiple usernames, including kakashi-hatake, zabuza-momochi, and diendh. Some linked accounts remain active, with at least one package (n8n-nodes-zl-vietts) flagged for prior malware associations. The attack leveraged n8n’s community node system, which allows third-party integrations to execute with the same privileges as the platform itself. Once installed, the malicious packages decrypted stored OAuth tokens using n8n’s master key and transmitted them to external servers during workflow execution. This marks the first known supply chain attack explicitly targeting n8n, exploiting trust in community-driven integrations. n8n has warned that community nodes particularly those sourced from npm pose significant risks, as they can access environment variables, file systems, and decrypted credentials without sandboxing. Self-hosted instances are advised to disable community nodes by setting `N8N_COMMUNITY_PACKAGES_ENABLED` to false. The discovery underscores the broader security risks of integrating unvetted workflows, which can expand an organization’s attack surface. A recently updated package (n8n-nodes-gg-udhasudsh-hgjkhg-official) suggests the campaign may still be active.

Critical Zero-Day Flaw in n8n Workflow Automation Platform Enables Full System Takeover Cybersecurity researchers have uncovered a maximum-severity vulnerability in n8n, a widely used workflow automation platform, that allows unauthenticated remote attackers to gain complete control over vulnerable instances. The flaw, tracked as CVE-2026-21858 (CVSS 10.0) and dubbed Ni8mare by Cyera Research Labs, was discovered by security researcher Dor Attias and reported on November 9, 2025. The vulnerability stems from a Content-Type confusion flaw in n8n’s webhook and file-handling mechanism. By manipulating the `Content-Type` header, attackers can bypass authentication, extract sensitive files, forge administrator access, and execute arbitrary commands on the server. Unlike previous critical flaws in n8n—such as CVE-2025-68613 (RCE via code execution), CVE-2025-68668 (*N8scape*, sandbox bypass), and CVE-2026-21877 (unrestricted file upload)—this exploit does not require credentials, making it particularly dangerous. ### Technical Breakdown The issue lies in n8n’s `parseRequestBody()` function, which processes incoming webhook requests. When a request includes a `multipart/form-data` header, the system uses `parseFormData()` to handle file uploads, storing results in `req.body.files`. However, if an attacker sends a request with a different `Content-Type`, the system still invokes file-handling functions—such as `copyBinaryFile()`—without verifying the header, allowing manipulation of `req.body.files`. This enables attackers to: 1. Read arbitrary files (e.g., `/home/node/.n8n/database.sqlite` or `/home/node/.n8n/config`). 2. Extract admin credentials (user ID, email, hashed password) and encryption keys. 3. Forge session cookies to bypass authentication and gain admin access. 4. Achieve remote code execution (RCE) by creating workflows with malicious "Execute Command" nodes. ### Affected Versions & Patch The flaw impacts all n8n versions up to and including 1.65.0. A fix was released in version 1.121.0 on November 18, 2025, with subsequent updates (1.123.10, 2.1.5, 2.2.4, 2.3.0) also addressing the issue. ### Impact & Risks A compromised n8n instance can serve as a single point of failure, exposing API credentials, OAuth tokens, database connections, and cloud storage access—effectively handing attackers the "keys to everything" in an organization’s automation ecosystem. Researchers warn that the flaw’s low attack complexity and high impact make it a prime target for threat actors. Organizations using n8n are urged to upgrade immediately and avoid exposing the platform to the internet without authentication. Temporary mitigations include disabling public webhook and form endpoints or restricting access to trusted networks.

AI Infrastructure Security Crisis: Exposed Systems, Hardcoded Flaws, and Rampant Misconfigurations A recent investigation by the Intruder team reveals a alarming trend in AI infrastructure security, as rapid adoption outpaces safeguards. Scanning over 2 million hosts with 1 million exposed services, researchers found AI deployments riddled with vulnerabilities more severe than any other software category they’ve analyzed. No Authentication by Default A core issue: many self-hosted AI projects ship without authentication enabled, leaving sensitive data and tools exposed. Real-world examples included chatbots with unrestricted access to user conversation histories, multimodal LLMs vulnerable to jailbreaking, and even NSFW chatbots leaking API keys in plaintext. One OpenUI-based instance exposed full LLM conversation logs, while others allowed malicious users to bypass safety guardrails using corporate infrastructure to generate illegal content or solicit criminal advice. Exposed Agent Platforms and Business Logic Agent management platforms like n8n and Flowise were frequently found misconfigured, with some instances mistakenly exposed to the internet. One Flowise deployment revealed an entire LLM chatbot’s business logic, including credential lists (though stored values remained protected). Another exposed parsing tools and local functions capable of server-side code execution. Across sectors government, finance, and marketing over 90 exposed instances were identified, enabling attackers to modify workflows, redirect traffic, or poison responses. Unsecured Ollama APIs: A Gateway to Frontier Models Researchers discovered 5,200+ exposed Ollama APIs with connected models, 31% of which responded to unauthenticated queries. While Ollama doesn’t store conversation data, many instances wrapped paid models from Anthropic, Google, Deepseek, Moonshot, and OpenAI 518 in total. Responses ranged from health-focused assistants to cloud management integrations, highlighting the risks of unauthorized access to enterprise systems. Insecure by Design Lab analysis uncovered systemic flaws: - Poor deployment practices: Misconfigured Docker setups, hardcoded credentials, and applications running as root. - No authentication on fresh installs: Users granted high-privilege access by default. - Static credentials: Embedded in setup examples and `docker-compose` files. - New vulnerabilities: Arbitrary code execution found in a popular AI project within days. Root Cause: Speed Over Security The findings underscore a broader industry shift vendors and adopters prioritizing rapid deployment over decades of security best practices. While some projects abandon safeguards entirely, the pressure to outpace competitors exacerbates the problem. The result: AI infrastructure with a 2.6 CVE-per-day average (as seen in the ClawdBot incident), where misconfigurations and weak sandboxing amplify risks. The investigation serves as a stark reminder of the security debt accumulating in the AI gold rush.