Researchers at Pillar Security have found two maximum severity vulnerabilities (CVSS score of 10.0) in n8n, a popular open-source workflow automation platform powering hundreds of thousands of enterprise AI systems worldwide.
The flaws are sandbox escape vulnerabilities which, when exploited, allow any authenticated user to achieve complete server control and steal any stored credential, including API keys, cloud provider keys, database passwords and OAuth tokens on both self-hosted and cloud n8n instances.
The first flaw was reported by Pillar Security to n8n maintainers, who released a patch, but a second vulnerability bypassing the fix was discovered 24 hours after initial patch was deployed.
N8n released a new patched version, version 2.4.0, with fixes for both vulnerabilities, in January 2026.
While the Pillar Security advisory addressing both flaws has a GitHub vulnerability identifier, GHSA-6cqr-8cfr-67f8, the firm did not reveal the CVE identifier for either of the vulnerabilities.
The Pillar Security researchers noted that companies using n8n for AI orchestration face credential exposure when using OpenAI, Anthropic, Azure OpenAI and Hugging Face as well as vector database access (e.g. Pinecone, Weaviate, Qdrant).
Attack Scenarios Explained
Attackers who successfully exploit either of these flaws can intercept AI prompts, modify AI responses, redirect traffic through attacker-controlled endpoints and exfiltrate sensitive data from AI interactions.
Additionally, on n8n cloud, a single compromised user could potentially access shared infrastructure and other customers' data within the Kubernetes cluster.
In a press release sent to Infosecurity on February 4, Eilon Cohen, an AI security researcher at Pillar Security, said what stands out in these vulnerabilities is “the combination of ease of exploitation and the high value targets they expose."
"If you can create a workflow in n8n, you can own the server. For attackers, this means access to OpenAI keys, Anthropic credentials, AWS accounts and the ability to intercept or modify AI interactions in real-time – all while the workflows continue functioning normally,” he added.
Mitigation Recommendations
Pillar Security recommended implementing the following immediate actions to mitigate the threat posed by these vulnerabilities:
- Upgrade Immediately: Update to n8n version 2.4.0 or later
- Rotate encryption key: If running an affected version, rotate n8n encryption key
- Rotate all credentials: Assume stored credentials may have been compromised and rotate them
- Audit workflows: Review workflow execution logs for suspicious expressions or unexpected behavior
- Monitor AI workflows: Watch for unusual patterns like base URL changes, new outbound connections, or modified prompts
Image credits: Azulblue / Shutterstock
Read now: Maximum Severity “Ni8mare” Bug Lets Hackers Hijack n8n Servers