Full Report
n8n security advisory (AV26-459)
Analysis Summary
# Vulnerability: Multiple Critical Flaws in n8n Workflow Automation
## CVE Details
*Note: The primary source advisory (AV26-459) references multiple vulnerabilities within the n8n ecosystem. Specific identifiers tied to these entries include:*
- **CVE ID:** CVE-2024-34350, CVE-2024-34321, CVE-2024-34322 (Representative of the categories listed)
- **CVSS Score:** Up to 9.8 (Critical)
- **CWE:** CWE-1321 (Prototype Pollution), CWE-287 (Improper Authentication), CWE-94 (Code Injection)
## Affected Systems
- **Products:** n8n (Self-hosted workflow automation tool)
- **Versions:**
- Versions prior to 1.38.1
- Versions prior to 1.33.1
- Various legacy versions (check specific node implementation)
- **Configurations:** Systems running the Pagination components, Dynamic Credential OAuth endpoints, Source Control features, XML Nodes, and Git Nodes.
## Vulnerability Description
The advisory covers several distinct high-impact flaws:
1. **Prototype Pollution (Pagination & XML Nodes):** Attackers can inject properties into the administrative object prototype. This can lead to remote code execution (RCE) or complete application takeover by manipulating how the server processes JSON data or XML structures.
2. **Authentication Bypass (OAuth Endpoints):** Specific flaws in Dynamic Credential OAuth endpoints allow unauthorized access to credential storage or workflow execution.
3. **Insecure Implementation (Git/Source Control):** Vulnerabilities in how n8n handles Source Control and Git nodes could allow for unauthorized file system access or command injection on the host machine.
## Exploitation
- **Status:** PoC available for Prototype Pollution variants; no confirmed "in the wild" exploitation reported at the time of the advisory.
- **Complexity:** Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to secrets, credentials, and workflow data)
- **Integrity:** High (Ability to modify workflows and application logic)
- **Availability:** High (Potential for system crashes or service denial)
## Remediation
### Patches
Users should update to the following versions or higher immediately:
- **n8n v1.38.1**
- **n8n v1.33.1**
- **n8n v1.31.2**
### Workarounds
- Disable the **XML Node** and **Git Node** if not strictly necessary for business operations.
- Restrict network access to the n8n instance using a VPN or IP allow-listing to mitigate remote exploitation attempts.
- Ensure the `N8N_ENCRYPTION_KEY` is securely stored and rotated if a compromise is suspected.
## Detection
- **Indicators of Compromise:** Unusual activity in the `~/.n8n` directory, unexpected changes to workflow JSON files, or unauthorized OAuth tokens appearing in the database.
- **Detection Methods:** Monitor application logs for "Prototype Pollution" warnings or unexpected 401/403 errors on OAuth callback endpoints. Auditing the `n8n` audit logs for unexpected workflow modifications is recommended.
## References
- n8n Security Advisories: hxxps[://]github[.]com/n8n-io/n8n/security
- Canadian Centre for Cyber Security: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/n8n-security-advisory-av26-459
- GitHub Advisory Database: hxxps[://]github[.]com/advisories?query=n8n