Overview
- Authenticated users who can create or edit workflows can trigger remote code execution, steal stored credentials and secrets, access the filesystem, and hijack AI pipelines on affected n8n servers.
- n8n says the flaw is fixed in versions 1.123.17 and 2.5.2 after an earlier December patch was bypassed, following a rapid report–fix–bypass cycle confirmed by developers.
- Pillar Security, Endor Labs, and SecureLayer7 published technical analyses and proof‑of‑concept exploits showing sanitization bypasses that escape n8n’s expression sandbox.
- Researchers attribute the root cause to incomplete AST‑based sandboxing and a mismatch between TypeScript type assumptions and JavaScript runtime behavior that enables type confusion.
- Administrators are urged to update immediately, rotate the N8N_ENCRYPTION_KEY and all stored credentials, restrict workflow creation to trusted users, and audit workflows, as monitoring firms note probing but no confirmed in‑the‑wild exploitation.